asyncrat | 35c4d936db755868a37561663cd4b279b338413db5f89c2f9df71d74a6d35b61

General

Target

Loader.exe
Size

2.1MB
MD5

a07c79f9e2dd72f3b884928ee384344e
SHA1

88df6b54a3e53a501b09b32de2def406820879fa
SHA256

35c4d936db755868a37561663cd4b279b338413db5f89c2f9df71d74a6d35b61
SHA512

cdb6957a1e59b053fdd8f0d43d9b1ba575da2140c5d2c547b87e8a5b1199f2d071f66152ade3cfdb5294903cf42f395a948b28ea87aef9d9aa6eacdeaffdd1fd
SSDEEP

49152:5ZosvRgdkadC7i03aQAZutzArxizJZTrEbupmpVwMgc:5Zostak7RGuqGJZXdpmIn

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

193.161.193.99:53757

Mutex

hsaurcrgqwhjimnkbht

Attributes

delay
1
install
true
install_file
Load.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Load.exe	family_asyncrat

Executes dropped EXE 64 IoCs

Processes:

Load.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exe

pid	process
4712	Load.exe
1112	Load.exe
4800	Load.exe
4020	Load.exe
4016	Load.exe
2492	Load.exe
4120	Load.exe
416	Load.exe
4372	Load.exe
4640	Load.exe
1400	Load.exe
1284	Load.exe
3164	Load.exe
3064	Load.exe
3504	Load.exe
3780	Load.exe
4900	Load.exe
2492	Load.exe
4308	Load.exe
1012	Load.exe
1144	Load.exe
1268	Load.exe
700	Load.exe
2256	Load.exe
3068	Load.exe
1100	Load.exe
4132	Load.exe
1192	Load.exe
3980	Load.exe
4080	Load.exe
4544	Load.exe
4980	Load.exe
2112	Load.exe
3744	Load.exe
4608	Load.exe
2500	Load.exe
2128	Load.exe
4984	Load.exe
2232	Load.exe
3880	Load.exe
1856	Load.exe
2840	Load.exe
2040	Load.exe
3748	Load.exe
544	Load.exe
1924	Load.exe
2824	Load.exe
1092	Load.exe
1004	Load.exe
5040	Load.exe
4092	Load.exe
3688	Load.exe
1252	Load.exe
3420	Load.exe
2256	Load.exe
3068	Load.exe
3152	Load.exe
3360	Load.exe
1644	Load.exe
2012	Load.exe
4900	Load.exe
2372	Load.exe
3048	Load.exe
5048	Load.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

5028 timeout.exe
1588 timeout.exe
4544 timeout.exe
Modifies registry class 1 IoCs

Processes:

MiniSearchHost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1460 schtasks.exe
2468 schtasks.exe
3876 schtasks.exe
3960 schtasks.exe

pid	process
5028	timeout.exe
1588	timeout.exe
4544	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

pid	process
1460	schtasks.exe
2468	schtasks.exe
3876	schtasks.exe
3960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Load.exeLoad.exeLoad.exeLoad.exe

pid	process
4712	Load.exe
4712	Load.exe
4712	Load.exe
4712	Load.exe
4712	Load.exe
4712	Load.exe
4712	Load.exe
4712	Load.exe
4712	Load.exe
4712	Load.exe
4712	Load.exe
4712	Load.exe
4712	Load.exe
4712	Load.exe
4712	Load.exe
4712	Load.exe
4712	Load.exe
4712	Load.exe
4712	Load.exe
4712	Load.exe
1112	Load.exe
1112	Load.exe
1112	Load.exe
1112	Load.exe
1112	Load.exe
1112	Load.exe
1112	Load.exe
1112	Load.exe
1112	Load.exe
1112	Load.exe
1112	Load.exe
1112	Load.exe
1112	Load.exe
1112	Load.exe
1112	Load.exe
1112	Load.exe
1112	Load.exe
1112	Load.exe
1112	Load.exe
4800	Load.exe
4800	Load.exe
4800	Load.exe
4800	Load.exe
4800	Load.exe
4800	Load.exe
4800	Load.exe
4800	Load.exe
4800	Load.exe
4800	Load.exe
4800	Load.exe
4800	Load.exe
4800	Load.exe
4800	Load.exe
4800	Load.exe
4800	Load.exe
4800	Load.exe
4800	Load.exe
4800	Load.exe
4016	Load.exe
4016	Load.exe
4016	Load.exe
4016	Load.exe
4016	Load.exe
4016	Load.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Load.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exeLoad.exe

description	pid	process
Token: SeDebugPrivilege	4712	Load.exe
Token: SeDebugPrivilege	1112	Load.exe
Token: SeDebugPrivilege	4800	Load.exe
Token: SeDebugPrivilege	4020	Load.exe
Token: SeDebugPrivilege	4016	Load.exe
Token: SeDebugPrivilege	2492	Load.exe
Token: SeDebugPrivilege	4120	Load.exe
Token: SeDebugPrivilege	416	Load.exe
Token: SeDebugPrivilege	4372	Load.exe
Token: SeDebugPrivilege	4640	Load.exe
Token: SeDebugPrivilege	1400	Load.exe
Token: SeDebugPrivilege	1284	Load.exe
Token: SeDebugPrivilege	3164	Load.exe
Token: SeDebugPrivilege	3064	Load.exe
Token: SeDebugPrivilege	3504	Load.exe
Token: SeDebugPrivilege	3780	Load.exe
Token: SeDebugPrivilege	4900	Load.exe
Token: SeDebugPrivilege	2492	Load.exe
Token: SeDebugPrivilege	4308	Load.exe
Token: SeDebugPrivilege	1012	Load.exe
Token: SeDebugPrivilege	1144	Load.exe
Token: SeDebugPrivilege	1268	Load.exe
Token: SeDebugPrivilege	700	Load.exe
Token: SeDebugPrivilege	2256	Load.exe
Token: SeDebugPrivilege	3068	Load.exe
Token: SeDebugPrivilege	1100	Load.exe
Token: SeDebugPrivilege	4132	Load.exe
Token: SeDebugPrivilege	1192	Load.exe
Token: SeDebugPrivilege	3980	Load.exe
Token: SeDebugPrivilege	4080	Load.exe
Token: SeDebugPrivilege	4544	Load.exe
Token: SeDebugPrivilege	4980	Load.exe
Token: SeDebugPrivilege	2112	Load.exe
Token: SeDebugPrivilege	3744	Load.exe
Token: SeDebugPrivilege	4608	Load.exe
Token: SeDebugPrivilege	2500	Load.exe
Token: SeDebugPrivilege	2128	Load.exe
Token: SeDebugPrivilege	4984	Load.exe
Token: SeDebugPrivilege	2232	Load.exe
Token: SeDebugPrivilege	3880	Load.exe
Token: SeDebugPrivilege	1856	Load.exe
Token: SeDebugPrivilege	2840	Load.exe
Token: SeDebugPrivilege	2040	Load.exe
Token: SeDebugPrivilege	3748	Load.exe
Token: SeDebugPrivilege	544	Load.exe
Token: SeDebugPrivilege	1924	Load.exe
Token: SeDebugPrivilege	2824	Load.exe
Token: SeDebugPrivilege	1092	Load.exe
Token: SeDebugPrivilege	1004	Load.exe
Token: SeDebugPrivilege	5040	Load.exe
Token: SeDebugPrivilege	4092	Load.exe
Token: SeDebugPrivilege	3688	Load.exe
Token: SeDebugPrivilege	1252	Load.exe
Token: SeDebugPrivilege	3420	Load.exe
Token: SeDebugPrivilege	2256	Load.exe
Token: SeDebugPrivilege	3068	Load.exe
Token: SeDebugPrivilege	3152	Load.exe
Token: SeDebugPrivilege	3360	Load.exe
Token: SeDebugPrivilege	1644	Load.exe
Token: SeDebugPrivilege	2012	Load.exe
Token: SeDebugPrivilege	4900	Load.exe
Token: SeDebugPrivilege	2372	Load.exe
Token: SeDebugPrivilege	3048	Load.exe
Token: SeDebugPrivilege	5048	Load.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Load.exeMiniSearchHost.exe

pid process

4016 Load.exe
4388 MiniSearchHost.exe

pid	process
4016	Load.exe
4388	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Loader.exeLoader.exeLoad.execmd.execmd.exeLoad.exeLoader.execmd.execmd.exeLoad.execmd.exeLoader.execmd.exeLoad.execmd.exeLoader.exeLoader.exeLoader.exeLoader.exe

description	pid	process	target process
PID 3420 wrote to memory of 492	3420	Loader.exe	Loader.exe
PID 3420 wrote to memory of 492	3420	Loader.exe	Loader.exe
PID 3420 wrote to memory of 4712	3420	Loader.exe	Load.exe
PID 3420 wrote to memory of 4712	3420	Loader.exe	Load.exe
PID 492 wrote to memory of 768	492	Loader.exe	Loader.exe
PID 492 wrote to memory of 768	492	Loader.exe	Loader.exe
PID 492 wrote to memory of 1112	492	Loader.exe	Load.exe
PID 492 wrote to memory of 1112	492	Loader.exe	Load.exe
PID 4712 wrote to memory of 3412	4712	Load.exe	cmd.exe
PID 4712 wrote to memory of 3412	4712	Load.exe	cmd.exe
PID 4712 wrote to memory of 4860	4712	Load.exe	cmd.exe
PID 4712 wrote to memory of 4860	4712	Load.exe	cmd.exe
PID 3412 wrote to memory of 1460	3412	cmd.exe	schtasks.exe
PID 3412 wrote to memory of 1460	3412	cmd.exe	schtasks.exe
PID 4860 wrote to memory of 5028	4860	cmd.exe	timeout.exe
PID 4860 wrote to memory of 5028	4860	cmd.exe	timeout.exe
PID 1112 wrote to memory of 4056	1112	Load.exe	cmd.exe
PID 1112 wrote to memory of 4056	1112	Load.exe	cmd.exe
PID 768 wrote to memory of 3668	768	Loader.exe	Loader.exe
PID 768 wrote to memory of 3668	768	Loader.exe	Loader.exe
PID 4056 wrote to memory of 2468	4056	cmd.exe	schtasks.exe
PID 4056 wrote to memory of 2468	4056	cmd.exe	schtasks.exe
PID 768 wrote to memory of 4800	768	Loader.exe	Load.exe
PID 768 wrote to memory of 4800	768	Loader.exe	Load.exe
PID 1112 wrote to memory of 3040	1112	Load.exe	cmd.exe
PID 1112 wrote to memory of 3040	1112	Load.exe	cmd.exe
PID 3040 wrote to memory of 1588	3040	cmd.exe	timeout.exe
PID 3040 wrote to memory of 1588	3040	cmd.exe	timeout.exe
PID 4860 wrote to memory of 4020	4860	cmd.exe	Load.exe
PID 4860 wrote to memory of 4020	4860	cmd.exe	Load.exe
PID 4800 wrote to memory of 464	4800	Load.exe	cmd.exe
PID 4800 wrote to memory of 464	4800	Load.exe	cmd.exe
PID 464 wrote to memory of 3876	464	cmd.exe	schtasks.exe
PID 464 wrote to memory of 3876	464	cmd.exe	schtasks.exe
PID 3668 wrote to memory of 1200	3668	Loader.exe	Loader.exe
PID 3668 wrote to memory of 1200	3668	Loader.exe	Loader.exe
PID 3668 wrote to memory of 4016	3668	Loader.exe	Load.exe
PID 3668 wrote to memory of 4016	3668	Loader.exe	Load.exe
PID 4800 wrote to memory of 1768	4800	Load.exe	cmd.exe
PID 4800 wrote to memory of 1768	4800	Load.exe	cmd.exe
PID 1768 wrote to memory of 4544	1768	cmd.exe	timeout.exe
PID 1768 wrote to memory of 4544	1768	cmd.exe	timeout.exe
PID 3040 wrote to memory of 2492	3040	cmd.exe	Load.exe
PID 3040 wrote to memory of 2492	3040	cmd.exe	Load.exe
PID 4016 wrote to memory of 4312	4016	Load.exe	cmd.exe
PID 4016 wrote to memory of 4312	4016	Load.exe	cmd.exe
PID 4312 wrote to memory of 3960	4312	cmd.exe	schtasks.exe
PID 4312 wrote to memory of 3960	4312	cmd.exe	schtasks.exe
PID 1200 wrote to memory of 4088	1200	Loader.exe	Loader.exe
PID 1200 wrote to memory of 4088	1200	Loader.exe	Loader.exe
PID 1200 wrote to memory of 4120	1200	Loader.exe	Load.exe
PID 1200 wrote to memory of 4120	1200	Loader.exe	Load.exe
PID 1768 wrote to memory of 416	1768	cmd.exe	Load.exe
PID 1768 wrote to memory of 416	1768	cmd.exe	Load.exe
PID 4088 wrote to memory of 2412	4088	Loader.exe	Loader.exe
PID 4088 wrote to memory of 2412	4088	Loader.exe	Loader.exe
PID 4088 wrote to memory of 4372	4088	Loader.exe	Load.exe
PID 4088 wrote to memory of 4372	4088	Loader.exe	Load.exe
PID 2412 wrote to memory of 4608	2412	Loader.exe	Loader.exe
PID 2412 wrote to memory of 4608	2412	Loader.exe	Loader.exe
PID 2412 wrote to memory of 4640	2412	Loader.exe	Load.exe
PID 2412 wrote to memory of 4640	2412	Loader.exe	Load.exe
PID 4608 wrote to memory of 1728	4608	Loader.exe	Loader.exe
PID 4608 wrote to memory of 1728	4608	Loader.exe	Loader.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:492
- - C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Users\Admin\AppData\Local\Temp\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3668
    - - C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1200
      - C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        9⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        10⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        11⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        12⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        13⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        14⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        15⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        16⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        17⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        18⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        19⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        20⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        21⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        22⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        23⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        24⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        25⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        26⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        27⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        28⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        29⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        30⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        31⤵
        
        PID:416
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        32⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        33⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        34⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        35⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        36⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        37⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        38⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        39⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        40⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        41⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        42⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        43⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        44⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        45⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        46⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        47⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        48⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        49⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        50⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        51⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        52⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        53⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        54⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        55⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        56⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        57⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        58⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        59⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        60⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        61⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        62⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        63⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        64⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        65⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        66⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        67⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        68⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        69⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        70⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        71⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        72⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        73⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        74⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        75⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        76⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        77⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        78⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        79⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        80⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        81⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        82⤵
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        83⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        84⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        85⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        86⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        87⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        88⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        89⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        90⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        91⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        92⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        93⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        94⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        95⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        96⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        97⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        98⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        99⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        100⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        101⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        102⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        103⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        104⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        105⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        106⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        107⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        108⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        109⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        110⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        111⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        112⤵
        
        PID:196
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        113⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        114⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        115⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        116⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        117⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        118⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        119⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        120⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        121⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        122⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        123⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        124⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        125⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        126⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        127⤵
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        128⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        129⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        130⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        131⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        132⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        133⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        133⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        132⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        131⤵
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        130⤵
        
        PID:244
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        129⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        128⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        127⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        126⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        125⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        124⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        123⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        122⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        121⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        120⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        119⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        118⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        117⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        116⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        115⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        114⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        113⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        112⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        111⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        110⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        109⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        108⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        107⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        106⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        105⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        104⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        103⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        102⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        101⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        100⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        99⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        98⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        97⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        96⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        95⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        94⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        93⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        92⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        91⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        90⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        89⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        88⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        87⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        86⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        85⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        84⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        83⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        82⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        81⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        80⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        79⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        78⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        77⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        76⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        75⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        74⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        73⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        72⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        71⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        70⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        69⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        68⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        67⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        66⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        65⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        64⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        63⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        60⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
      - C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120
    - - C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4016
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3960
  - - C:\Users\Admin\AppData\Local\Temp\Load.exe
      "C:\Users\Admin\AppData\Local\Temp\Load.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:464
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3876
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:4544
      - C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:416
- - C:\Users\Admin\AppData\Local\Temp\Load.exe
    "C:\Users\Admin\AppData\Local\Temp\Load.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4056
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA50A.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1588
    - - C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
- C:\Users\Admin\AppData\Local\Temp\Load.exe
  "C:\Users\Admin\AppData\Local\Temp\Load.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9AC9.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:5028
  - - C:\Users\Admin\AppData\Roaming\Load.exe
      "C:\Users\Admin\AppData\Roaming\Load.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1016

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4388

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Load.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Load.exe

Filesize
74KB

MD5
4fc5086bcb8939429aea99f7322e619b

SHA1
8d3bd7d005710a8ae0bd0143d18b437be20018d7

SHA256
e31d6dc4d6f89573321f389c5b3f12838545ff8d2f1380cfba1782d39853e9fd

SHA512
04e230f5b39356aecf4732ac9a2f4fea96e51018907e2f22c7e3f22e51188b64cdb3e202fe324f5e3500761fae43f898bf9489aa8faa34eff3566e1119a786d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9AC9.tmp.bat

Filesize
148B

MD5
a21d9614dcbfc3c44deb9c2490ec3f2c

SHA1
628dc1bee840f343dad0f7f28ea9e3139f3c5c66

SHA256
55b58869cadb0e21fd0724669331f9f8a4eee8dc278f78cc60fbdce592231d88

SHA512
9860ee2018cffead487509a83acfbe53e138c807680b03d34605617ea538ff36ac180254938cb71f63b13c7e3c85a2e55869c5671967b9fd8e3dfd06ae55c243

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA50A.tmp.bat

Filesize
148B

MD5
17defb93dd3a87fd392439f101ce3187

SHA1
b7ddb3b4a33072ec0a438cc4badef32a241ce768

SHA256
7d48be34d7b50c1bc98391c136c9a69be30a963406b1fe490e11e24a8e39dcd3

SHA512
ecedbf0edf626510efdf1315ef1a582fa2a38d763105da74d25cd7788c96a7609d1123b2d2a99cd0e95078ff2cc0e60de7b635a65603cf54564d0b8eb9ded103

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAD09.tmp.bat

Filesize
148B

MD5
37189d8d19711f0fbd1ceace1b3e0bd4

SHA1
c1532831e7a50e828ea9120ef67c5e302c473f74

SHA256
a626b36c6dd20b65ff3e1c192abc709f776c1f4b6c0a95333cf1a9c72b0d3f5d

SHA512
ea8a65882b65224bed44cdc996ffc1314363861bf3d92d00e6d2dffd95b7cc2dd1df9123ec693fedc2a789d1036975e3b3955128fab0b0350ea50aa44f497b7d

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/492-15-0x00007FFECDF70000-0x00007FFECEA32000-memory.dmp

Filesize
10.8MB

Download
memory/492-22-0x00007FFECDF70000-0x00007FFECEA32000-memory.dmp

Filesize
10.8MB

Download
memory/3420-16-0x00007FFECDF70000-0x00007FFECEA32000-memory.dmp

Filesize
10.8MB

Download
memory/3420-2-0x00007FFECDF70000-0x00007FFECEA32000-memory.dmp

Filesize
10.8MB

Download
memory/3420-0-0x00007FFECDF73000-0x00007FFECDF75000-memory.dmp

Filesize
8KB

Download
memory/3420-1-0x0000000000420000-0x000000000063A000-memory.dmp

Filesize
2.1MB

Download
memory/4712-17-0x0000000000750000-0x0000000000768000-memory.dmp

Filesize
96KB

Download
memory/4712-18-0x00007FFECDF70000-0x00007FFECEA32000-memory.dmp

Filesize
10.8MB

Download
memory/4712-28-0x00007FFECDF70000-0x00007FFECEA32000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads