babylonrat | 633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
submitted
15-03-2024 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
Size

1.5MB
MD5

d73ddcf84310a2b31bb9be4af8b4ea67
SHA1

43df201182a4b883ccc718d853d4d674bddd7d83
SHA256

633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73
SHA512

9e4a92f34ed80c17328e957a47320adb3e3c3a49d267aee0e5203be405f76179a8390791c614a29bf0bfd375d566772a6f30d5c7060e75e909de4137e33a1acf
SSDEEP

24576:dbCj2sObHtqQ4QqH0XlE654b4fX3fo8wBgNcK:dbCjPKNqQqH0XSucM

Score

10^/10

babylonrat discovery trojan upx

Malware Config

Extracted

Family

babylonrat

appleupdate.uk.to

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Babylonrat family
babylonrat

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 8 IoCs

resource	yara_rule
behavioral1/memory/2804-11-0x00000000000C0000-0x0000000000189000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2804-13-0x00000000000C0000-0x0000000000189000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2804-14-0x00000000000C0000-0x0000000000189000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2804-15-0x00000000000C0000-0x0000000000189000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2804-16-0x00000000000C0000-0x0000000000189000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2804-17-0x00000000000C0000-0x0000000000189000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2804-18-0x00000000000C0000-0x0000000000189000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2804-20-0x00000000000C0000-0x0000000000189000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

UPX dump on OEP (original entry point) 11 IoCs

resource	yara_rule
behavioral1/memory/2804-8-0x00000000000C0000-0x0000000000189000-memory.dmp	UPX
behavioral1/memory/2804-10-0x00000000000C0000-0x0000000000189000-memory.dmp	UPX
behavioral1/memory/2804-12-0x00000000000C0000-0x0000000000189000-memory.dmp	UPX
behavioral1/memory/2804-11-0x00000000000C0000-0x0000000000189000-memory.dmp	UPX
behavioral1/memory/2804-13-0x00000000000C0000-0x0000000000189000-memory.dmp	UPX
behavioral1/memory/2804-14-0x00000000000C0000-0x0000000000189000-memory.dmp	UPX
behavioral1/memory/2804-15-0x00000000000C0000-0x0000000000189000-memory.dmp	UPX
behavioral1/memory/2804-16-0x00000000000C0000-0x0000000000189000-memory.dmp	UPX
behavioral1/memory/2804-17-0x00000000000C0000-0x0000000000189000-memory.dmp	UPX
behavioral1/memory/2804-18-0x00000000000C0000-0x0000000000189000-memory.dmp	UPX
behavioral1/memory/2804-20-0x00000000000C0000-0x0000000000189000-memory.dmp	UPX

Executes dropped EXE 3 IoCs

pid	Process
2020	HostController.exe
1780	HostController.exe
2660	winmgr329.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000e000000016cd7-40.dat	autoit_exe
behavioral1/files/0x000e000000016d0b-68.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2840 set thread context of 2804	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	35

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2804-8-0x00000000000C0000-0x0000000000189000-memory.dmp	upx
behavioral1/memory/2804-10-0x00000000000C0000-0x0000000000189000-memory.dmp	upx
behavioral1/memory/2804-12-0x00000000000C0000-0x0000000000189000-memory.dmp	upx
behavioral1/memory/2804-11-0x00000000000C0000-0x0000000000189000-memory.dmp	upx
behavioral1/memory/2804-13-0x00000000000C0000-0x0000000000189000-memory.dmp	upx
behavioral1/memory/2804-14-0x00000000000C0000-0x0000000000189000-memory.dmp	upx
behavioral1/memory/2804-15-0x00000000000C0000-0x0000000000189000-memory.dmp	upx
behavioral1/memory/2804-16-0x00000000000C0000-0x0000000000189000-memory.dmp	upx
behavioral1/memory/2804-17-0x00000000000C0000-0x0000000000189000-memory.dmp	upx
behavioral1/memory/2804-18-0x00000000000C0000-0x0000000000189000-memory.dmp	upx
behavioral1/memory/2804-20-0x00000000000C0000-0x0000000000189000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winmgr329.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2576	PING.EXE
2708	PING.EXE
2628	PING.EXE
1216	PING.EXE
872	PING.EXE
2364	PING.EXE

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
2364	PING.EXE
2576	PING.EXE
2708	PING.EXE
2628	PING.EXE
1216	PING.EXE
872	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2936	schtasks.exe
2360	schtasks.exe
2404	schtasks.exe
2496	schtasks.exe
996	schtasks.exe
2832	schtasks.exe
1620	schtasks.exe
1564	schtasks.exe
2772	schtasks.exe
2040	schtasks.exe
1140	schtasks.exe
1480	schtasks.exe
2616	schtasks.exe
2396	schtasks.exe
308	schtasks.exe
1596	schtasks.exe
2120	schtasks.exe
916	schtasks.exe
3060	schtasks.exe
2444	schtasks.exe
2984	schtasks.exe
2508	schtasks.exe
2708	schtasks.exe
2972	schtasks.exe
2872	schtasks.exe
2292	schtasks.exe
2492	schtasks.exe
2848	schtasks.exe
1512	schtasks.exe
2364	schtasks.exe
2068	schtasks.exe
2228	schtasks.exe
2456	schtasks.exe
1032	schtasks.exe
1028	schtasks.exe
916	schtasks.exe
2116	schtasks.exe
2676	schtasks.exe
2200	schtasks.exe
2648	schtasks.exe
1508	schtasks.exe
892	schtasks.exe
364	schtasks.exe
2400	schtasks.exe
2240	schtasks.exe
1592	schtasks.exe
1988	schtasks.exe
2688	schtasks.exe
2356	schtasks.exe
2332	schtasks.exe
524	schtasks.exe
2240	schtasks.exe
2168	schtasks.exe
1484	schtasks.exe
1012	schtasks.exe
2760	schtasks.exe
2764	schtasks.exe
2392	schtasks.exe
2956	schtasks.exe
2684	schtasks.exe
2168	schtasks.exe
1816	schtasks.exe
2800	schtasks.exe
1852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2804	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2804	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
Token: SeDebugPrivilege	2804	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
Token: SeTcbPrivilege	2804	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2804	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2536	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	28
PID 2840 wrote to memory of 2536	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	28
PID 2840 wrote to memory of 2536	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	28
PID 2840 wrote to memory of 2536	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	28
PID 2536 wrote to memory of 3008	2536	cmd.exe	30
PID 2536 wrote to memory of 3008	2536	cmd.exe	30
PID 2536 wrote to memory of 3008	2536	cmd.exe	30
PID 2536 wrote to memory of 3008	2536	cmd.exe	30
PID 2840 wrote to memory of 2492	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	32
PID 2840 wrote to memory of 2492	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	32
PID 2840 wrote to memory of 2492	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	32
PID 2840 wrote to memory of 2492	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	32
PID 3008 wrote to memory of 2576	3008	cmd.exe	34
PID 3008 wrote to memory of 2576	3008	cmd.exe	34
PID 3008 wrote to memory of 2576	3008	cmd.exe	34
PID 3008 wrote to memory of 2576	3008	cmd.exe	34
PID 2840 wrote to memory of 2804	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	35
PID 2840 wrote to memory of 2804	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	35
PID 2840 wrote to memory of 2804	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	35
PID 2840 wrote to memory of 2804	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	35
PID 2840 wrote to memory of 2804	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	35
PID 2840 wrote to memory of 2804	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	35
PID 2840 wrote to memory of 2360	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	36
PID 2840 wrote to memory of 2360	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	36
PID 2840 wrote to memory of 2360	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	36
PID 2840 wrote to memory of 2360	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	36
PID 2840 wrote to memory of 2272	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	38
PID 2840 wrote to memory of 2272	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	38
PID 2840 wrote to memory of 2272	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	38
PID 2840 wrote to memory of 2272	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	38
PID 2840 wrote to memory of 2352	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	40
PID 2840 wrote to memory of 2352	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	40
PID 2840 wrote to memory of 2352	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	40
PID 2840 wrote to memory of 2352	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	40
PID 2840 wrote to memory of 2424	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	42
PID 2840 wrote to memory of 2424	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	42
PID 2840 wrote to memory of 2424	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	42
PID 2840 wrote to memory of 2424	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	42
PID 2840 wrote to memory of 2872	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	44
PID 2840 wrote to memory of 2872	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	44
PID 2840 wrote to memory of 2872	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	44
PID 2840 wrote to memory of 2872	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	44
PID 2840 wrote to memory of 2332	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	46
PID 2840 wrote to memory of 2332	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	46
PID 2840 wrote to memory of 2332	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	46
PID 2840 wrote to memory of 2332	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	46
PID 2840 wrote to memory of 656	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	48
PID 2840 wrote to memory of 656	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	48
PID 2840 wrote to memory of 656	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	48
PID 2840 wrote to memory of 656	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	48
PID 2840 wrote to memory of 1488	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	50
PID 2840 wrote to memory of 1488	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	50
PID 2840 wrote to memory of 1488	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	50
PID 2840 wrote to memory of 1488	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	50
PID 3008 wrote to memory of 2708	3008	cmd.exe	52
PID 3008 wrote to memory of 2708	3008	cmd.exe	52
PID 3008 wrote to memory of 2708	3008	cmd.exe	52
PID 3008 wrote to memory of 2708	3008	cmd.exe	52
PID 2840 wrote to memory of 2772	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	53
PID 2840 wrote to memory of 2772	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	53
PID 2840 wrote to memory of 2772	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	53
PID 2840 wrote to memory of 2772	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	53
PID 2840 wrote to memory of 2748	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	55
PID 2840 wrote to memory of 2748	2840	633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe	55

C:\Users\Admin\AppData\Local\Temp\633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
"C:\Users\Admin\AppData\Local\Temp\633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\PROGRA~3\File.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\PROGRA~3\File.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2576
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2708
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2628
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1216
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:872
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 05 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2364
  - - C:\Windows\SysWOW64\cscript.exe
      cscript /nologo C:\Users\Admin\AppData\Local\Temp\tmp.vbs
      4⤵
      PID:1936
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "HostController" /tr "C:\ProgramData\HostController.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2492
- C:\Users\Admin\AppData\Local\Temp\633d837f772773032d1fb16859a6468ca3e7813b678dbfd77f8a1c6152764c73.exe
  0
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2804
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2360
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2272
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2352
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2424
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2872
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2332
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:656
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1488
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2772
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2748
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2188
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2192
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2100
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2440
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2668
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2848
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1204
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2032
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2088
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1312
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:836
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2236
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2232
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1972
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1032
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1720
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1844
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1076
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:364
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:916
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1028
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2040
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2832
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1588
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2852
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1740
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2432
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2936
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2484
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:524
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2584
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2592
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1344
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2380
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1948
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2764
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:684
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2752
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2200
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1564
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2100
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2352
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2952
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1044
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2392
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2440
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1920
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1568
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1312
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1984
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:892
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1512
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2240
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1140
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1532
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1664
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:996
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1076
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:620
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:916
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1640
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1796
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1012
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2832
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1588
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1832
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1916
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2648
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2564
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2956
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2712
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:872
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2456
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2720
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2592
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1508
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1480
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2360
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2600
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2408
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2724
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2688
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2260
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2616
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1636
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2404
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2396
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2296
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2864
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3064
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1356
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2184
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1488
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1312
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1804
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:892
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1512
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2120
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1360
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1296
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:748
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1720
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3004
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3060
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:916
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2064
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2068
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1592
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:3032
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2444
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:364
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2692
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2564
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2504
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:308
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2544
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1108
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1484
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:548
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2716
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2732
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2624
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:268
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2364
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2724
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2496
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1348
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2208
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2384
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2072
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2884
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1816
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1752
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1404
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2800
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1068
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2668
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2052
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1572
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:820
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1988
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1900
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1532
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1296
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2168
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2812
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:620
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3012
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:828
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1832
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1916
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2648
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1652
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2692
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2476
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2956
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2584
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2388
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1344
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2492
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1292
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:656
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2792
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2400
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:268
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2760
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2292
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2688
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2612
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1620
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2356
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1384
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2872
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2708
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1676
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2448
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2216
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1236
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2868
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2240
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2972
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1560
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:908
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2444
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2548
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2604
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1532
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2380
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2188
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2224
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:884
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2752
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1712
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1356
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2116
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1132
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1900
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2052
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2068
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1844
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1364
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1596
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2716
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2508
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:364
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2612
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2408
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2580
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2600
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2988
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2016
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1564
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2676
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2876
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1852
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1156
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2984
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2348
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2708
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2532
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1688
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1668
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2372
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1756
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2088
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2228
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2144
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2548
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:932
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2680
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1988
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2684
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2168
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:620
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2752
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1208
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2236
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:2116
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2120
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1504
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:760
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1260
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1588
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2940
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1340
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:320
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr329.exe" /tr "C:\ProgramData\winmgr329.exe" /f
  2⤵
  PID:1652

C:\Windows\system32\taskeng.exe
taskeng.exe {039DCC05-4285-4BE2-865E-EBB8C0587271} S-1-5-21-1658372521-4246568289-2509113762-1000:PIRBKNPS\Admin:Interactive:[1]
1⤵
PID:3024
- C:\ProgramData\HostController.exe
  C:\ProgramData\HostController.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\ProgramData\winmgr329.exe
  C:\ProgramData\winmgr329.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2660
- C:\ProgramData\HostController.exe
  C:\ProgramData\HostController.exe
  2⤵
  - Executes dropped EXE
  PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\File.bat

Filesize
761B

MD5
583540fd7a2b1c752b10e55c64a0cb00

SHA1
f1d600b36e4c751e71817590a5f02fddc7c0dc4e

SHA256
e2fb0ed137bfacc99f4f879445de3fe61ea469bf382007c8af2611c0879f1ca6

SHA512
db88afc9fdfc86c6026ed0d0e445d720bc0cde682266d3edd2d083a531c5ea91a85dc3075719dd91ac485eff1ed19d3e641f4509945b5a7dd6d322ae730d7a04

Download Submit
C:\ProgramData\HostController.exe

Filesize
1.5MB

MD5
2994124244b86903c2bcdad05329dd0c

SHA1
c0f6727f927e2073d0ef189dea1c91737aa05154

SHA256
dcde1bb6784c65f7221419bd512332ab9af3fdfe061f5c3d0d362e421bbdff37

SHA512
8e2b447d64b3c585fdec1176204b4b98d376c36ff337bc525cb5a60299c1280102c3a7ed191a59ffda484b19ce2b4685d744a3b3e7c40a043cc4df4befa547e2

Download Submit
C:\ProgramData\winmgr329.exe

Filesize
1.5MB

MD5
4df1d9a32d35c8f4ba561f2b85c386cf

SHA1
3a03253ffa8b782367b62b42772c69d6a9672a8e

SHA256
90017ea4bf8668ed71d2d335f6563e3afe73d5974c973bb7d96a122066a62c49

SHA512
0e3e3f8ba3e428029d8538ae647fc9a086065fc0205103e34c826e1498801ad90418aa19bf570b98beefc2286929d45dce1c80b51c43a3381928f51d3c97016c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.vbs

Filesize
140B

MD5
a5b9abb102d92b9b384a76ba6f92844c

SHA1
7776eab88801c625974a699aa6719200440cba0c

SHA256
76b962c2991667590055ce22e62e9b307063e486b79cf70da4f9fc90ef73b51e

SHA512
589110ca2c292037fbe2780fb4870d90f3899a29bc7a9face35ae1d448a109311ab345a93527614447f61d3c957b3a4f7c0786c18d95dae0c3ddcd6dd9e16382

Download Submit
memory/2804-14-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2804-12-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2804-11-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2804-13-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2804-10-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2804-15-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2804-16-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2804-17-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2804-18-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2804-20-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2804-8-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download
memory/2804-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2804-4-0x00000000000C0000-0x0000000000189000-memory.dmp

Filesize
804KB

Download