babylonrat | 93db7ed57c674c3e48bcc41dae7e5881ca8f0816fa1a56a506e35844ddb24891

Analysis

max time kernel
154s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2023 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
Size

1.5MB
MD5

757d90d8c7aee1482dd03b57669f9cd0
SHA1

85164cef35194c7938f90c4d418dd8daed96cd43
SHA256

93db7ed57c674c3e48bcc41dae7e5881ca8f0816fa1a56a506e35844ddb24891
SHA512

d2bd5bb470215ca84c473180454e04838df680d32bc66e63ef98222f89f0fe5fe891515c5ddee489f8dbe5e5ef02c476bf5f359857cbcda6d88ab67361722856
SSDEEP

24576:dbCj2sObHtqQ4QqH0XlE654b4fX3fo8wBgNcF:dbCjPKNqQqH0XSucX

Score

10^/10

babylonrat trojan upx

Malware Config

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Executes dropped EXE 4 IoCs

pid	Process
3044	HostController.exe
1172	winmgr329.exe
6512	HostController.exe
2548	winmgr329.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2052-4-0x00000000000D0000-0x0000000000199000-memory.dmp	upx
behavioral2/memory/2052-6-0x00000000000D0000-0x0000000000199000-memory.dmp	upx
behavioral2/memory/2052-7-0x00000000000D0000-0x0000000000199000-memory.dmp	upx
behavioral2/memory/2052-8-0x00000000000D0000-0x0000000000199000-memory.dmp	upx
behavioral2/memory/2052-9-0x00000000000D0000-0x0000000000199000-memory.dmp	upx
behavioral2/memory/2052-10-0x00000000000D0000-0x0000000000199000-memory.dmp	upx
behavioral2/memory/2052-11-0x00000000000D0000-0x0000000000199000-memory.dmp	upx
behavioral2/memory/2052-12-0x00000000000D0000-0x0000000000199000-memory.dmp	upx
behavioral2/memory/2052-13-0x00000000000D0000-0x0000000000199000-memory.dmp	upx
behavioral2/memory/2052-17-0x00000000000D0000-0x0000000000199000-memory.dmp	upx

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0006000000022e1f-14.dat	autoit_exe
behavioral2/files/0x0006000000022e1f-15.dat	autoit_exe
behavioral2/files/0x0006000000022e22-18.dat	autoit_exe
behavioral2/files/0x0006000000022e22-19.dat	autoit_exe
behavioral2/files/0x0006000000022e1f-45.dat	autoit_exe
behavioral2/files/0x0006000000022e22-46.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 2052	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3876	schtasks.exe
5864	schtasks.exe
6220	schtasks.exe
6180	schtasks.exe
2200	schtasks.exe
4956	schtasks.exe
2864	schtasks.exe
2660	schtasks.exe
4880	schtasks.exe
6328	schtasks.exe
4436	schtasks.exe
6156	schtasks.exe
5808	schtasks.exe
1028	schtasks.exe
6520	schtasks.exe
5820	schtasks.exe
1836	schtasks.exe
7144	schtasks.exe
1464	schtasks.exe
5140	schtasks.exe
5280	schtasks.exe
4284	schtasks.exe
1680	schtasks.exe
5608	schtasks.exe
3824	schtasks.exe
5256	schtasks.exe
5668	schtasks.exe
6852	schtasks.exe
6416	schtasks.exe
3944	schtasks.exe
4440	schtasks.exe
3184	schtasks.exe
6076	schtasks.exe
5528	schtasks.exe
6660	schtasks.exe
5272	schtasks.exe
7108	schtasks.exe
2424	schtasks.exe
5548	schtasks.exe
5828	schtasks.exe
216	schtasks.exe
5468	schtasks.exe
4300	schtasks.exe
5892	schtasks.exe
2804	schtasks.exe
5628	schtasks.exe
4388	schtasks.exe
864	schtasks.exe
5932	schtasks.exe
4960	schtasks.exe
4016	schtasks.exe
2720	schtasks.exe
1944	schtasks.exe
4272	schtasks.exe
1456	schtasks.exe
5708	schtasks.exe
5892	schtasks.exe
2664	schtasks.exe
1996	schtasks.exe
3956	schtasks.exe
5396	schtasks.exe
5540	schtasks.exe
6592	schtasks.exe
5036	schtasks.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
4328	PING.EXE
3304	PING.EXE
4076	PING.EXE
3912	PING.EXE
5312	PING.EXE
5828	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2052	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2052	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
Token: SeDebugPrivilege	2052	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
Token: SeTcbPrivilege	2052	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2052	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 4284	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	91
PID 2000 wrote to memory of 4284	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	91
PID 2000 wrote to memory of 4284	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	91
PID 4284 wrote to memory of 2632	4284	cmd.exe	95
PID 4284 wrote to memory of 2632	4284	cmd.exe	95
PID 4284 wrote to memory of 2632	4284	cmd.exe	95
PID 2000 wrote to memory of 2200	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	94
PID 2000 wrote to memory of 2200	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	94
PID 2000 wrote to memory of 2200	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	94
PID 2000 wrote to memory of 2052	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	99
PID 2000 wrote to memory of 2052	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	99
PID 2000 wrote to memory of 2052	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	99
PID 2000 wrote to memory of 2052	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	99
PID 2000 wrote to memory of 2052	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	99
PID 2000 wrote to memory of 1996	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	100
PID 2000 wrote to memory of 1996	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	100
PID 2000 wrote to memory of 1996	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	100
PID 2632 wrote to memory of 4328	2632	cmd.exe	103
PID 2632 wrote to memory of 4328	2632	cmd.exe	103
PID 2632 wrote to memory of 4328	2632	cmd.exe	103
PID 2000 wrote to memory of 3848	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	105
PID 2000 wrote to memory of 3848	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	105
PID 2000 wrote to memory of 3848	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	105
PID 2000 wrote to memory of 4956	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	108
PID 2000 wrote to memory of 4956	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	108
PID 2000 wrote to memory of 4956	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	108
PID 2000 wrote to memory of 4048	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	110
PID 2000 wrote to memory of 4048	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	110
PID 2000 wrote to memory of 4048	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	110
PID 2000 wrote to memory of 3592	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	112
PID 2000 wrote to memory of 3592	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	112
PID 2000 wrote to memory of 3592	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	112
PID 2000 wrote to memory of 4536	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	114
PID 2000 wrote to memory of 4536	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	114
PID 2000 wrote to memory of 4536	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	114
PID 2000 wrote to memory of 1180	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	116
PID 2000 wrote to memory of 1180	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	116
PID 2000 wrote to memory of 1180	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	116
PID 2000 wrote to memory of 1352	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	118
PID 2000 wrote to memory of 1352	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	118
PID 2000 wrote to memory of 1352	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	118
PID 2000 wrote to memory of 3532	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	120
PID 2000 wrote to memory of 3532	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	120
PID 2000 wrote to memory of 3532	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	120
PID 2000 wrote to memory of 2864	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	122
PID 2000 wrote to memory of 2864	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	122
PID 2000 wrote to memory of 2864	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	122
PID 2000 wrote to memory of 4764	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	124
PID 2000 wrote to memory of 4764	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	124
PID 2000 wrote to memory of 4764	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	124
PID 2000 wrote to memory of 3776	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	126
PID 2000 wrote to memory of 3776	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	126
PID 2000 wrote to memory of 3776	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	126
PID 2000 wrote to memory of 5040	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	128
PID 2000 wrote to memory of 5040	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	128
PID 2000 wrote to memory of 5040	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	128
PID 2000 wrote to memory of 2720	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	131
PID 2000 wrote to memory of 2720	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	131
PID 2000 wrote to memory of 2720	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	131
PID 2000 wrote to memory of 3876	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	133
PID 2000 wrote to memory of 3876	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	133
PID 2000 wrote to memory of 3876	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	133
PID 2000 wrote to memory of 4284	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	135
PID 2000 wrote to memory of 4284	2000	NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe	135

C:\Users\Admin\AppData\Local\Temp\NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\PROGRA~3\File.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\PROGRA~3\File.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      Runs ping.exe
      PID:4328
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      Runs ping.exe
      PID:3304
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      Runs ping.exe
      PID:4076
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      Runs ping.exe
      PID:3912
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      Runs ping.exe
      PID:5312
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      Runs ping.exe
      PID:5828
  - - C:\Windows\SysWOW64\cscript.exe
      cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
      4⤵
      PID:6696
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "HostController" /tr "C:\ProgramData\HostController.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2200
- C:\Users\Admin\AppData\Local\Temp\NEAS.757d90d8c7aee1482dd03b57669f9cd0.exe
  0
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2052
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1996
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3848
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4956
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4048
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3592
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4536
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1180
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1352
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3532
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2864
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4764
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3776
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5040
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2720
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3876
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4284
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2124
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3956
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2660
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4888
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1244
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3944
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:452
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1464
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4496
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5100
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:400
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4232
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1036
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4016
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3452
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1936
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2804
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1692
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3776
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4272
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1944
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5036
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1680
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4440
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3844
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4880
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1456
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3344
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5128
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5200
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5256
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5336
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5392
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5452
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5512
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5572
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5648
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5708
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5768
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5876
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5932
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5992
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6052
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6104
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5272
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5448
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5632
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5864
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4960
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:556
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5888
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:6156
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:6220
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6276
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:6328
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6384
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6440
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6496
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6556
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6616
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6716
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6772
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6828
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6884
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6940
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6996
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:7052
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:7108
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6176
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3500
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6508
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6736
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6960
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:7128
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4172
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1468
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6240
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6792
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3372
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4528
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5364
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5344
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2444
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5140
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1708
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3184
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4300
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5428
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5808
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5608
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1244
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2804
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2424
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4224
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3844
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1028
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5200
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5260
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5284
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5548
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:6076
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5216
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5892
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5220
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5920
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5908
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5528
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5372
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:2664
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:7124
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6988
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:6852
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4564
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:3824
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6248
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6448
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6392
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6332
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:6520
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:7148
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6584
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:7080
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:216
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5304
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3988
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5820
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5680
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5396
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3912
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2172
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3372
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:6660
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5536
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5628
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2580
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6760
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5596
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6980
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:6180
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1176
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5932
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2456
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5256
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:864
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5260
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3460
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4264
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5668
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:6416
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5540
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5520
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5828
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5892
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5468
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6964
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:940
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4016
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5948
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6876
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6864
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6848
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:1836
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6624
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1816
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4388
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2040
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6884
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1384
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6496
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:7144
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:6592
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:7052
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:4436
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Creates scheduled task(s)
  PID:5280
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4912
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5772
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5176
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5788
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:5396
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:524
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2568
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4616
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1680
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6836
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1608
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:6652
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:4440
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2348
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3372

C:\ProgramData\HostController.exe
C:\ProgramData\HostController.exe
1⤵
- Executes dropped EXE
PID:3044

C:\ProgramData\winmgr329.exe
C:\ProgramData\winmgr329.exe
1⤵
- Executes dropped EXE
PID:1172

C:\ProgramData\HostController.exe
C:\ProgramData\HostController.exe
1⤵
- Executes dropped EXE
PID:6512

C:\ProgramData\winmgr329.exe
C:\ProgramData\winmgr329.exe
1⤵
- Executes dropped EXE
PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\File.bat

Filesize
761B

MD5
583540fd7a2b1c752b10e55c64a0cb00

SHA1
f1d600b36e4c751e71817590a5f02fddc7c0dc4e

SHA256
e2fb0ed137bfacc99f4f879445de3fe61ea469bf382007c8af2611c0879f1ca6

SHA512
db88afc9fdfc86c6026ed0d0e445d720bc0cde682266d3edd2d083a531c5ea91a85dc3075719dd91ac485eff1ed19d3e641f4509945b5a7dd6d322ae730d7a04

Download Submit
C:\ProgramData\HostController.exe

Filesize
1.5MB

MD5
de37be1fbf157a7a178cd1cb85659c75

SHA1
063a85d84f67e966ce564414b504723f967c1bba

SHA256
df07aec27d37e32f35ce75c300e6196bfc9f77e149b3f7ff374681d0e214bfee

SHA512
587d55afca6a2100bbcf5db1e62f5c41744e0536d8b8b9f36f3f42c8b58248ed42b3f2d88dc536bc9bfa64466e44332ea2c6950ae0653f8714ad0bccce4ea913

Download Submit
C:\ProgramData\HostController.exe

Filesize
1.5MB

MD5
de37be1fbf157a7a178cd1cb85659c75

SHA1
063a85d84f67e966ce564414b504723f967c1bba

SHA256
df07aec27d37e32f35ce75c300e6196bfc9f77e149b3f7ff374681d0e214bfee

SHA512
587d55afca6a2100bbcf5db1e62f5c41744e0536d8b8b9f36f3f42c8b58248ed42b3f2d88dc536bc9bfa64466e44332ea2c6950ae0653f8714ad0bccce4ea913

Download Submit
C:\ProgramData\HostController.exe

Filesize
1.5MB

MD5
de37be1fbf157a7a178cd1cb85659c75

SHA1
063a85d84f67e966ce564414b504723f967c1bba

SHA256
df07aec27d37e32f35ce75c300e6196bfc9f77e149b3f7ff374681d0e214bfee

SHA512
587d55afca6a2100bbcf5db1e62f5c41744e0536d8b8b9f36f3f42c8b58248ed42b3f2d88dc536bc9bfa64466e44332ea2c6950ae0653f8714ad0bccce4ea913

Download Submit
C:\ProgramData\winmgr329.exe

Filesize
1.5MB

MD5
b2ac467a4af4dc6f9f71538f0edeb0c8

SHA1
20bc1c471f7f74816f81b5095ca4db3d089cf99a

SHA256
bf62a27d109410bf2eedfe663614bbe5ebcc8faa518ffee7cbae271ba57b560f

SHA512
95bfd515bbfe4d474074a0cf71a4341fc706e397e12179280275fcd25b0e5914e7807e9200c240a63383c0e51474f7daab44ee514e5df485a6f355beb97dd76a

Download Submit
C:\ProgramData\winmgr329.exe

Filesize
1.5MB

MD5
b2ac467a4af4dc6f9f71538f0edeb0c8

SHA1
20bc1c471f7f74816f81b5095ca4db3d089cf99a

SHA256
bf62a27d109410bf2eedfe663614bbe5ebcc8faa518ffee7cbae271ba57b560f

SHA512
95bfd515bbfe4d474074a0cf71a4341fc706e397e12179280275fcd25b0e5914e7807e9200c240a63383c0e51474f7daab44ee514e5df485a6f355beb97dd76a

Download Submit
C:\ProgramData\winmgr329.exe

Filesize
1.5MB

MD5
b2ac467a4af4dc6f9f71538f0edeb0c8

SHA1
20bc1c471f7f74816f81b5095ca4db3d089cf99a

SHA256
bf62a27d109410bf2eedfe663614bbe5ebcc8faa518ffee7cbae271ba57b560f

SHA512
95bfd515bbfe4d474074a0cf71a4341fc706e397e12179280275fcd25b0e5914e7807e9200c240a63383c0e51474f7daab44ee514e5df485a6f355beb97dd76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.vbs

Filesize
140B

MD5
a5b9abb102d92b9b384a76ba6f92844c

SHA1
7776eab88801c625974a699aa6719200440cba0c

SHA256
76b962c2991667590055ce22e62e9b307063e486b79cf70da4f9fc90ef73b51e

SHA512
589110ca2c292037fbe2780fb4870d90f3899a29bc7a9face35ae1d448a109311ab345a93527614447f61d3c957b3a4f7c0786c18d95dae0c3ddcd6dd9e16382

Download Submit
memory/2052-12-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download
memory/2052-13-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download
memory/2052-11-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download
memory/2052-10-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download
memory/2052-17-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download
memory/2052-9-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download
memory/2052-8-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download
memory/2052-7-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download
memory/2052-6-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download
memory/2052-4-0x00000000000D0000-0x0000000000199000-memory.dmp

Filesize
804KB

Download