babylonrat | 9cee271113b514769f1f475d53dc1bbf233044c0fec11038b027a563420d2d2b

Analysis

max time kernel
153s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2023 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
Size

1.5MB
MD5

3dd1804a642a4d96777a807dc9e5ae10
SHA1

972d878cf92f3db5bb503bbce1d3cc8500e3da10
SHA256

9cee271113b514769f1f475d53dc1bbf233044c0fec11038b027a563420d2d2b
SHA512

a2f508e1de292a77a184a6f421c49b2546ddfee0eb566868646274159d30af0ee20405015d8eb3899697d2005d81c1357ec5b0a749bb30bbe1125a5c33311e19
SSDEEP

24576:dbCj2sObHtqQ4QqH0XlE654b4fX3fo8wBgNcP:dbCjPKNqQqH0XSucl

Score

10^/10

babylonrat trojan upx

Malware Config

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Executes dropped EXE 3 IoCs

pid	Process
3380	HostController.exe
32	winmgr329.exe
4416	HostController.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2416-4-0x00000000000D0000-0x0000000000199000-memory.dmp	upx
behavioral2/memory/2416-6-0x00000000000D0000-0x0000000000199000-memory.dmp	upx
behavioral2/memory/2416-8-0x00000000000D0000-0x0000000000199000-memory.dmp	upx
behavioral2/memory/2416-9-0x00000000000D0000-0x0000000000199000-memory.dmp	upx
behavioral2/memory/2416-10-0x00000000000D0000-0x0000000000199000-memory.dmp	upx
behavioral2/memory/2416-11-0x00000000000D0000-0x0000000000199000-memory.dmp	upx
behavioral2/memory/2416-12-0x00000000000D0000-0x0000000000199000-memory.dmp	upx
behavioral2/memory/2416-13-0x00000000000D0000-0x0000000000199000-memory.dmp	upx
behavioral2/memory/2416-14-0x00000000000D0000-0x0000000000199000-memory.dmp	upx
behavioral2/memory/2416-15-0x00000000000D0000-0x0000000000199000-memory.dmp	upx

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0006000000022e04-27.dat	autoit_exe
behavioral2/files/0x0006000000022e04-28.dat	autoit_exe
behavioral2/files/0x0006000000022e07-29.dat	autoit_exe
behavioral2/files/0x0006000000022e07-30.dat	autoit_exe
behavioral2/files/0x0006000000022e04-55.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4920 set thread context of 2416	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1976	schtasks.exe
5372	schtasks.exe
4300	schtasks.exe
5920	schtasks.exe
3288	schtasks.exe
3916	schtasks.exe
5372	schtasks.exe
2560	schtasks.exe
3920	schtasks.exe
2160	schtasks.exe
1656	schtasks.exe
3680	schtasks.exe
4672	schtasks.exe
2060	schtasks.exe
2480	schtasks.exe
3316	schtasks.exe
3352	schtasks.exe
6108	schtasks.exe
5876	schtasks.exe
4264	schtasks.exe
5076	schtasks.exe
2568	schtasks.exe
5660	schtasks.exe
3676	schtasks.exe
5260	schtasks.exe
5896	schtasks.exe
4964	schtasks.exe
5868	schtasks.exe
5388	schtasks.exe
5288	schtasks.exe
5944	schtasks.exe
4980	schtasks.exe
4744	schtasks.exe
64	schtasks.exe
228	schtasks.exe
5020	schtasks.exe
5220	schtasks.exe
5340	schtasks.exe
5768	schtasks.exe
5196	schtasks.exe
5488	schtasks.exe
5296	schtasks.exe
3576	schtasks.exe
3828	schtasks.exe
5016	schtasks.exe
1232	schtasks.exe
5036	schtasks.exe
5752	schtasks.exe
5336	schtasks.exe
2664	schtasks.exe
5624	schtasks.exe
4420	schtasks.exe
1164	schtasks.exe
6068	schtasks.exe
4588	schtasks.exe
4944	schtasks.exe
4640	schtasks.exe
5844	schtasks.exe
5944	schtasks.exe
5608	schtasks.exe
1412	schtasks.exe
5380	schtasks.exe
1060	schtasks.exe
5536	schtasks.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
5632	PING.EXE
5688	PING.EXE
4596	PING.EXE
2360	PING.EXE
5540	PING.EXE
6128	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2416	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2416	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
Token: SeDebugPrivilege	2416	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
Token: SeTcbPrivilege	2416	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2416	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 4692	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	98
PID 4920 wrote to memory of 4692	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	98
PID 4920 wrote to memory of 4692	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	98
PID 4692 wrote to memory of 4552	4692	cmd.exe	101
PID 4692 wrote to memory of 4552	4692	cmd.exe	101
PID 4692 wrote to memory of 4552	4692	cmd.exe	101
PID 4920 wrote to memory of 4744	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	102
PID 4920 wrote to memory of 4744	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	102
PID 4920 wrote to memory of 4744	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	102
PID 4920 wrote to memory of 2416	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	105
PID 4920 wrote to memory of 2416	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	105
PID 4920 wrote to memory of 2416	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	105
PID 4920 wrote to memory of 2416	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	105
PID 4920 wrote to memory of 2416	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	105
PID 4920 wrote to memory of 4412	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	106
PID 4920 wrote to memory of 4412	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	106
PID 4920 wrote to memory of 4412	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	106
PID 4920 wrote to memory of 1792	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	107
PID 4920 wrote to memory of 1792	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	107
PID 4920 wrote to memory of 1792	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	107
PID 4920 wrote to memory of 2588	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	110
PID 4920 wrote to memory of 2588	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	110
PID 4920 wrote to memory of 2588	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	110
PID 4552 wrote to memory of 4596	4552	cmd.exe	112
PID 4552 wrote to memory of 4596	4552	cmd.exe	112
PID 4552 wrote to memory of 4596	4552	cmd.exe	112
PID 4920 wrote to memory of 680	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	113
PID 4920 wrote to memory of 680	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	113
PID 4920 wrote to memory of 680	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	113
PID 4920 wrote to memory of 3356	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	115
PID 4920 wrote to memory of 3356	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	115
PID 4920 wrote to memory of 3356	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	115
PID 4920 wrote to memory of 1864	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	117
PID 4920 wrote to memory of 1864	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	117
PID 4920 wrote to memory of 1864	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	117
PID 4920 wrote to memory of 628	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	119
PID 4920 wrote to memory of 628	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	119
PID 4920 wrote to memory of 628	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	119
PID 4920 wrote to memory of 2060	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	121
PID 4920 wrote to memory of 2060	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	121
PID 4920 wrote to memory of 2060	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	121
PID 4920 wrote to memory of 4148	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	123
PID 4920 wrote to memory of 4148	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	123
PID 4920 wrote to memory of 4148	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	123
PID 4920 wrote to memory of 3048	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	125
PID 4920 wrote to memory of 3048	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	125
PID 4920 wrote to memory of 3048	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	125
PID 4920 wrote to memory of 3920	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	127
PID 4920 wrote to memory of 3920	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	127
PID 4920 wrote to memory of 3920	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	127
PID 4920 wrote to memory of 4092	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	129
PID 4920 wrote to memory of 4092	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	129
PID 4920 wrote to memory of 4092	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	129
PID 4920 wrote to memory of 4424	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	131
PID 4920 wrote to memory of 4424	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	131
PID 4920 wrote to memory of 4424	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	131
PID 4920 wrote to memory of 3576	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	133
PID 4920 wrote to memory of 3576	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	133
PID 4920 wrote to memory of 3576	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	133
PID 4920 wrote to memory of 3508	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	136
PID 4920 wrote to memory of 3508	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	136
PID 4920 wrote to memory of 3508	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	136
PID 4920 wrote to memory of 2600	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	138
PID 4920 wrote to memory of 2600	4920	NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe	138

C:\Users\Admin\AppData\Local\Temp\NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\PROGRA~3\File.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\PROGRA~3\File.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      Runs ping.exe
      PID:4596
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      Runs ping.exe
      PID:2360
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      Runs ping.exe
      PID:5540
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      Runs ping.exe
      PID:6128
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      Runs ping.exe
      PID:5632
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      Runs ping.exe
      PID:5688
  - - C:\Windows\SysWOW64\cscript.exe
      cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
      4⤵
      PID:2808
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "HostController" /tr "C:\ProgramData\HostController.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4744
- C:\Users\Admin\AppData\Local\Temp\NEAS.3dd1804a642a4d96777a807dc9e5ae10.exe
  0
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2416
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4412
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1792
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2588
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:680
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3356
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1864
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:628
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2060
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4148
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3048
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3920
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4092
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4424
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3576
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3508
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2600
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4320
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2480
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:64
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3380
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3680
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1664
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2664
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3544
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3748
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1232
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5140
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5196
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5252
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5308
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5372
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5436
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5488
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5564
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5616
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5684
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5748
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5792
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5844
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5896
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5952
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:6068
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5268
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2568
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4396
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4284
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1576
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:32
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4744
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5504
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5032
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4404
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5412
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4172
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4900
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4596
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5544
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5588
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5464
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5592
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5892
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5944
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5832
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5800
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6104
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5388
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5328
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:228
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1000
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1804
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3588
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2600
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4964
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5152
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5860
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5704
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1976
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5348
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2160
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3528
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1780
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4412
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5316
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5168
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5296
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2880
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4640
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4672
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:6108
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5740
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4288
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5788
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5780
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5868
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5900
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6000
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6092
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6100
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6020
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2568
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5036
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1304
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2480
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4284
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:8
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2556
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5064
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4868
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6128
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4300
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3848
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5380
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1656
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5020
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5152
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5760
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5416
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2380
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5372
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5256
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5220
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3356
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5168
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5724
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2004
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5608
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5260
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5920
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5752
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5748
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5876
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3316
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3288
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5008
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5912
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5896
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2740
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5840
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3540
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5340
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4252
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:524
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5064
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6096
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5388
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1352
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5648
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2360
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3828
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4868
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4588
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5564
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3916
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4408
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1976
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1164
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2644
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5148
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5968
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4404
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3796
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5572
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5920
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5652
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3676
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5876
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3384
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3784
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5260
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2260
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5244
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4288
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5376
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5880
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3872
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1468
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:812
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1060
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:996
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1256
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5588
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1484
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4384
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2488
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5536
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4944
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5076
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3828
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:228
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5768
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5328
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4264
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3352
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5336
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5944
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4548
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:688
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5312
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3468
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2952
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:232
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5288
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3288
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5892
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:964
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1412
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5372
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4640
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5540
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4084
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5816
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5620
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5228
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5956
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5992
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1232
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3928
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5804
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4252
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2560
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5452
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4420
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5232
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2568
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4124
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5660
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2664
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1400
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5016
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4980
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5156
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4532
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5604
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2724
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1836
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5400
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5624
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1164
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4152
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3692
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5916
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5176
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4956

C:\ProgramData\HostController.exe
C:\ProgramData\HostController.exe
1⤵
- Executes dropped EXE
PID:3380

C:\ProgramData\winmgr329.exe
C:\ProgramData\winmgr329.exe
1⤵
- Executes dropped EXE
PID:32

C:\ProgramData\HostController.exe
C:\ProgramData\HostController.exe
1⤵
- Executes dropped EXE
PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\File.bat

Filesize
761B

MD5
583540fd7a2b1c752b10e55c64a0cb00

SHA1
f1d600b36e4c751e71817590a5f02fddc7c0dc4e

SHA256
e2fb0ed137bfacc99f4f879445de3fe61ea469bf382007c8af2611c0879f1ca6

SHA512
db88afc9fdfc86c6026ed0d0e445d720bc0cde682266d3edd2d083a531c5ea91a85dc3075719dd91ac485eff1ed19d3e641f4509945b5a7dd6d322ae730d7a04

Download Submit
C:\ProgramData\HostController.exe

Filesize
1.5MB

MD5
9376c10b44ea34fbb6174fd1bcee3d7d

SHA1
ce9a8c8e150aa623d46a0a79cea5f0ae85fc9c7c

SHA256
f90c33e6ed9bde614977235e775e7038ffc531a15e27e0eb34724deced26c7ff

SHA512
dac114166a525ebe3a1284aca98d99a82e3e6c30d063dd8e28e03b1cecac2334e2a42acd2e76b9768c249a9f83fb753022ac999a623147250e6b20a142c46dcf

Download Submit
C:\ProgramData\HostController.exe

Filesize
1.5MB

MD5
9376c10b44ea34fbb6174fd1bcee3d7d

SHA1
ce9a8c8e150aa623d46a0a79cea5f0ae85fc9c7c

SHA256
f90c33e6ed9bde614977235e775e7038ffc531a15e27e0eb34724deced26c7ff

SHA512
dac114166a525ebe3a1284aca98d99a82e3e6c30d063dd8e28e03b1cecac2334e2a42acd2e76b9768c249a9f83fb753022ac999a623147250e6b20a142c46dcf

Download Submit
C:\ProgramData\HostController.exe

Filesize
1.5MB

MD5
9376c10b44ea34fbb6174fd1bcee3d7d

SHA1
ce9a8c8e150aa623d46a0a79cea5f0ae85fc9c7c

SHA256
f90c33e6ed9bde614977235e775e7038ffc531a15e27e0eb34724deced26c7ff

SHA512
dac114166a525ebe3a1284aca98d99a82e3e6c30d063dd8e28e03b1cecac2334e2a42acd2e76b9768c249a9f83fb753022ac999a623147250e6b20a142c46dcf

Download Submit
C:\ProgramData\winmgr329.exe

Filesize
1.5MB

MD5
871f81515a590c97d1a16f6136160005

SHA1
2bfe5195032144edacf997ea950111a7ae185ae1

SHA256
73b6c63399679f6369e3b2a61ae3f83471f5954db51809a530d795072a549431

SHA512
7d322c267408d6fdacaa1d0ce039c6f38c3af5ff239d570f84feeac88c22be464a87978f3aeedb8d4b7a3708648cddc1946dc3f555b80c2f33b9515a75a50837

Download Submit
C:\ProgramData\winmgr329.exe

Filesize
1.5MB

MD5
871f81515a590c97d1a16f6136160005

SHA1
2bfe5195032144edacf997ea950111a7ae185ae1

SHA256
73b6c63399679f6369e3b2a61ae3f83471f5954db51809a530d795072a549431

SHA512
7d322c267408d6fdacaa1d0ce039c6f38c3af5ff239d570f84feeac88c22be464a87978f3aeedb8d4b7a3708648cddc1946dc3f555b80c2f33b9515a75a50837

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.vbs

Filesize
140B

MD5
a5b9abb102d92b9b384a76ba6f92844c

SHA1
7776eab88801c625974a699aa6719200440cba0c

SHA256
76b962c2991667590055ce22e62e9b307063e486b79cf70da4f9fc90ef73b51e

SHA512
589110ca2c292037fbe2780fb4870d90f3899a29bc7a9face35ae1d448a109311ab345a93527614447f61d3c957b3a4f7c0786c18d95dae0c3ddcd6dd9e16382

Download Submit
memory/2416-9-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download
memory/2416-13-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download
memory/2416-14-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download
memory/2416-15-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download
memory/2416-12-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download
memory/2416-11-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download
memory/2416-10-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download
memory/2416-8-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download
memory/2416-6-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download
memory/2416-4-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download