asyncrat | 8fe639c3cbdcb49a5246f85ce136f14c8c0ad5150c6e38b5eb66eced9d4c4329

Analysis

max time kernel
150s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29/11/2024, 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

2.1MB
MD5

a07c79f9e2dd72f3b884928ee384344e
SHA1

88df6b54a3e53a501b09b32de2def406820879fa
SHA256

35c4d936db755868a37561663cd4b279b338413db5f89c2f9df71d74a6d35b61
SHA512

cdb6957a1e59b053fdd8f0d43d9b1ba575da2140c5d2c547b87e8a5b1199f2d071f66152ade3cfdb5294903cf42f395a948b28ea87aef9d9aa6eacdeaffdd1fd
SSDEEP

49152:5ZosvRgdkadC7i03aQAZutzArxizJZTrEbupmpVwMgc:5Zostak7RGuqGJZXdpmIn

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

193.161.193.99:53757

Mutex

hsaurcrgqwhjimnkbht

Attributes

delay
1
install
true
install_file
Load.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001c00000002aa7a-7.dat	family_asyncrat

Executes dropped EXE 64 IoCs

pid	Process
4340	Load.exe
3632	Load.exe
4888	Load.exe
1748	Load.exe
4548	Load.exe
4060	Load.exe
2720	Load.exe
4452	Load.exe
3644	Load.exe
1596	Load.exe
428	Load.exe
4936	Load.exe
3848	Load.exe
3880	Load.exe
3204	Load.exe
860	Load.exe
4304	Load.exe
4920	Load.exe
4592	Load.exe
4896	Load.exe
1984	Load.exe
4660	Load.exe
1604	Load.exe
3800	Load.exe
1508	Load.exe
1404	Load.exe
3316	Load.exe
3720	Load.exe
3292	Load.exe
1952	Load.exe
3748	Load.exe
4960	Load.exe
3736	Load.exe
1984	Load.exe
756	Load.exe
2128	Load.exe
4836	Load.exe
1344	Load.exe
1324	Load.exe
2604	Load.exe
4272	Load.exe
2608	Load.exe
3756	Load.exe
2092	Load.exe
2024	Load.exe
4624	Load.exe
5024	Load.exe
4472	Load.exe
1108	Load.exe
1200	Load.exe
2112	Load.exe
1800	Load.exe
1088	Load.exe
5016	Load.exe
4340	Load.exe
4132	Load.exe
1896	Load.exe
2196	Load.exe
4828	Load.exe
3244	Load.exe
3992	Load.exe
1776	Load.exe
2968	Load.exe
2708	Load.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
4716	timeout.exe
756	timeout.exe
1468	timeout.exe
3516	timeout.exe
2204	timeout.exe
2964	timeout.exe
1060	timeout.exe
3748	timeout.exe
1860	timeout.exe
4188	timeout.exe
72	timeout.exe
3324	timeout.exe
400	timeout.exe
4464	timeout.exe
3744	timeout.exe
3816	timeout.exe
1068	timeout.exe
3064	timeout.exe
1696	timeout.exe
2248	timeout.exe
2288	timeout.exe
3540	timeout.exe
1952	timeout.exe
4420	timeout.exe
3324	timeout.exe
3988	timeout.exe
2084	timeout.exe
2608	timeout.exe
4736	timeout.exe
1888	timeout.exe
1356	timeout.exe
4472	timeout.exe
920	timeout.exe
1768	timeout.exe
1936	timeout.exe
1860	timeout.exe
2968	timeout.exe
1596	timeout.exe
3132	timeout.exe
2384	timeout.exe
2112	timeout.exe
1436	timeout.exe
1844	timeout.exe
2672	timeout.exe
4996	timeout.exe
3764	timeout.exe
1832	timeout.exe
3408	timeout.exe
1440	timeout.exe
3368	timeout.exe
4592	timeout.exe
3096	timeout.exe
1924	timeout.exe
1152	timeout.exe
1128	timeout.exe
2624	timeout.exe
3892	timeout.exe
2128	timeout.exe
2816	timeout.exe
3092	timeout.exe
3184	timeout.exe
3300	timeout.exe
3172	timeout.exe
1764	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
812	schtasks.exe
3040	schtasks.exe
4308	schtasks.exe
3380	schtasks.exe
1916	schtasks.exe
3564	schtasks.exe
3156	schtasks.exe
1352	schtasks.exe
4080	schtasks.exe
2708	schtasks.exe
1180	schtasks.exe
1084	schtasks.exe
3572	schtasks.exe
1812	schtasks.exe
796	schtasks.exe
4696	schtasks.exe
3076	schtasks.exe
5108	schtasks.exe
4632	schtasks.exe
2620	schtasks.exe
2992	schtasks.exe
1092	schtasks.exe
2716	schtasks.exe
3100	schtasks.exe
3988	schtasks.exe
4576	schtasks.exe
1556	schtasks.exe
3856	schtasks.exe
3676	schtasks.exe
2304	schtasks.exe
4832	schtasks.exe
2024	schtasks.exe
4832	schtasks.exe
1560	schtasks.exe
4712	schtasks.exe
4832	schtasks.exe
1448	schtasks.exe
424	schtasks.exe
4592	schtasks.exe
2984	schtasks.exe
4244	schtasks.exe
3108	schtasks.exe
1424	schtasks.exe
3572	schtasks.exe
2384	schtasks.exe
1876	schtasks.exe
3428	schtasks.exe
2076	schtasks.exe
3600	schtasks.exe
808	schtasks.exe
4584	schtasks.exe
3988	schtasks.exe
1204	schtasks.exe
1040	schtasks.exe
3360	schtasks.exe
492	schtasks.exe
72	schtasks.exe
2416	schtasks.exe
1512	schtasks.exe
3264	schtasks.exe
960	schtasks.exe
468	schtasks.exe
3596	schtasks.exe
4604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4340	Load.exe
4340	Load.exe
4340	Load.exe
4340	Load.exe
4340	Load.exe
4340	Load.exe
4340	Load.exe
4340	Load.exe
4340	Load.exe
4340	Load.exe
4340	Load.exe
4340	Load.exe
4340	Load.exe
4340	Load.exe
4340	Load.exe
4340	Load.exe
4340	Load.exe
3632	Load.exe
3632	Load.exe
3632	Load.exe
3632	Load.exe
3632	Load.exe
3632	Load.exe
3632	Load.exe
3632	Load.exe
3632	Load.exe
3632	Load.exe
3632	Load.exe
3632	Load.exe
3632	Load.exe
3632	Load.exe
3632	Load.exe
3632	Load.exe
3632	Load.exe
4888	Load.exe
4888	Load.exe
4888	Load.exe
4888	Load.exe
4888	Load.exe
4888	Load.exe
4888	Load.exe
4888	Load.exe
4888	Load.exe
4888	Load.exe
4888	Load.exe
4888	Load.exe
4888	Load.exe
4888	Load.exe
4888	Load.exe
4888	Load.exe
4888	Load.exe
1748	Load.exe
1748	Load.exe
1748	Load.exe
1748	Load.exe
1748	Load.exe
1748	Load.exe
1748	Load.exe
1748	Load.exe
1748	Load.exe
1748	Load.exe
1748	Load.exe
1748	Load.exe
1748	Load.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4340	Load.exe
Token: SeDebugPrivilege	3632	Load.exe
Token: SeDebugPrivilege	4888	Load.exe
Token: SeDebugPrivilege	1748	Load.exe
Token: SeDebugPrivilege	4548	Load.exe
Token: SeDebugPrivilege	4060	Load.exe
Token: SeDebugPrivilege	2720	Load.exe
Token: SeDebugPrivilege	4452	Load.exe
Token: SeDebugPrivilege	3644	Load.exe
Token: SeDebugPrivilege	1596	Load.exe
Token: SeDebugPrivilege	428	Load.exe
Token: SeDebugPrivilege	4936	Load.exe
Token: SeDebugPrivilege	3848	Load.exe
Token: SeDebugPrivilege	3880	Load.exe
Token: SeDebugPrivilege	3204	Load.exe
Token: SeDebugPrivilege	860	Load.exe
Token: SeDebugPrivilege	4304	Load.exe
Token: SeDebugPrivilege	4920	Load.exe
Token: SeDebugPrivilege	4592	Load.exe
Token: SeDebugPrivilege	4896	Load.exe
Token: SeDebugPrivilege	1984	Load.exe
Token: SeDebugPrivilege	4660	Load.exe
Token: SeDebugPrivilege	1604	Load.exe
Token: SeDebugPrivilege	3800	Load.exe
Token: SeDebugPrivilege	1508	Load.exe
Token: SeDebugPrivilege	1404	Load.exe
Token: SeDebugPrivilege	3316	Load.exe
Token: SeDebugPrivilege	3720	Load.exe
Token: SeDebugPrivilege	3292	Load.exe
Token: SeDebugPrivilege	1952	Load.exe
Token: SeDebugPrivilege	4960	Load.exe
Token: SeDebugPrivilege	3736	Load.exe
Token: SeDebugPrivilege	1984	Load.exe
Token: SeDebugPrivilege	756	Load.exe
Token: SeDebugPrivilege	2128	Load.exe
Token: SeDebugPrivilege	4836	Load.exe
Token: SeDebugPrivilege	1344	Load.exe
Token: SeDebugPrivilege	1324	Load.exe
Token: SeDebugPrivilege	2604	Load.exe
Token: SeDebugPrivilege	4272	Load.exe
Token: SeDebugPrivilege	2608	Load.exe
Token: SeDebugPrivilege	3756	Load.exe
Token: SeDebugPrivilege	2092	Load.exe
Token: SeDebugPrivilege	2024	Load.exe
Token: SeDebugPrivilege	4624	Load.exe
Token: SeDebugPrivilege	5024	Load.exe
Token: SeDebugPrivilege	4472	Load.exe
Token: SeDebugPrivilege	1108	Load.exe
Token: SeDebugPrivilege	1200	Load.exe
Token: SeDebugPrivilege	2112	Load.exe
Token: SeDebugPrivilege	1800	Load.exe
Token: SeDebugPrivilege	1088	Load.exe
Token: SeDebugPrivilege	5016	Load.exe
Token: SeDebugPrivilege	4340	Load.exe
Token: SeDebugPrivilege	4132	Load.exe
Token: SeDebugPrivilege	1896	Load.exe
Token: SeDebugPrivilege	2196	Load.exe
Token: SeDebugPrivilege	4828	Load.exe
Token: SeDebugPrivilege	3244	Load.exe
Token: SeDebugPrivilege	3992	Load.exe
Token: SeDebugPrivilege	1776	Load.exe
Token: SeDebugPrivilege	2968	Load.exe
Token: SeDebugPrivilege	2708	Load.exe
Token: SeDebugPrivilege	1048	Load.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 1972	1084	Loader.exe	77
PID 1084 wrote to memory of 1972	1084	Loader.exe	77
PID 1084 wrote to memory of 4340	1084	Loader.exe	78
PID 1084 wrote to memory of 4340	1084	Loader.exe	78
PID 4340 wrote to memory of 4236	4340	Load.exe	79
PID 4340 wrote to memory of 4236	4340	Load.exe	79
PID 4340 wrote to memory of 3924	4340	Load.exe	81
PID 4340 wrote to memory of 3924	4340	Load.exe	81
PID 4236 wrote to memory of 1448	4236	cmd.exe	83
PID 4236 wrote to memory of 1448	4236	cmd.exe	83
PID 3924 wrote to memory of 3408	3924	cmd.exe	84
PID 3924 wrote to memory of 3408	3924	cmd.exe	84
PID 1972 wrote to memory of 3368	1972	Loader.exe	85
PID 1972 wrote to memory of 3368	1972	Loader.exe	85
PID 1972 wrote to memory of 3632	1972	Loader.exe	86
PID 1972 wrote to memory of 3632	1972	Loader.exe	86
PID 3632 wrote to memory of 3156	3632	Load.exe	87
PID 3632 wrote to memory of 3156	3632	Load.exe	87
PID 3156 wrote to memory of 3596	3156	cmd.exe	89
PID 3156 wrote to memory of 3596	3156	cmd.exe	89
PID 3368 wrote to memory of 808	3368	Loader.exe	90
PID 3368 wrote to memory of 808	3368	Loader.exe	90
PID 3368 wrote to memory of 4888	3368	Loader.exe	91
PID 3368 wrote to memory of 4888	3368	Loader.exe	91
PID 3632 wrote to memory of 2236	3632	Load.exe	92
PID 3632 wrote to memory of 2236	3632	Load.exe	92
PID 2236 wrote to memory of 1952	2236	cmd.exe	94
PID 2236 wrote to memory of 1952	2236	cmd.exe	94
PID 4888 wrote to memory of 2568	4888	Load.exe	95
PID 4888 wrote to memory of 2568	4888	Load.exe	95
PID 2568 wrote to memory of 1204	2568	cmd.exe	97
PID 2568 wrote to memory of 1204	2568	cmd.exe	97
PID 808 wrote to memory of 1600	808	Loader.exe	98
PID 808 wrote to memory of 1600	808	Loader.exe	98
PID 808 wrote to memory of 1748	808	Loader.exe	99
PID 808 wrote to memory of 1748	808	Loader.exe	99
PID 4888 wrote to memory of 2416	4888	Load.exe	100
PID 4888 wrote to memory of 2416	4888	Load.exe	100
PID 2416 wrote to memory of 4420	2416	cmd.exe	102
PID 2416 wrote to memory of 4420	2416	cmd.exe	102
PID 2236 wrote to memory of 4548	2236	cmd.exe	103
PID 2236 wrote to memory of 4548	2236	cmd.exe	103
PID 1748 wrote to memory of 2764	1748	Load.exe	104
PID 1748 wrote to memory of 2764	1748	Load.exe	104
PID 2764 wrote to memory of 2076	2764	cmd.exe	106
PID 2764 wrote to memory of 2076	2764	cmd.exe	106
PID 1600 wrote to memory of 4704	1600	Loader.exe	107
PID 1600 wrote to memory of 4704	1600	Loader.exe	107
PID 1600 wrote to memory of 4060	1600	Loader.exe	108
PID 1600 wrote to memory of 4060	1600	Loader.exe	108
PID 1748 wrote to memory of 4344	1748	Load.exe	109
PID 1748 wrote to memory of 4344	1748	Load.exe	109
PID 4344 wrote to memory of 2384	4344	cmd.exe	111
PID 4344 wrote to memory of 2384	4344	cmd.exe	111
PID 2416 wrote to memory of 2720	2416	cmd.exe	112
PID 2416 wrote to memory of 2720	2416	cmd.exe	112
PID 4060 wrote to memory of 4904	4060	Load.exe	113
PID 4060 wrote to memory of 4904	4060	Load.exe	113
PID 4904 wrote to memory of 4832	4904	cmd.exe	115
PID 4904 wrote to memory of 4832	4904	cmd.exe	115
PID 4704 wrote to memory of 2984	4704	Loader.exe	116
PID 4704 wrote to memory of 2984	4704	Loader.exe	116
PID 4704 wrote to memory of 4452	4704	Loader.exe	117
PID 4704 wrote to memory of 4452	4704	Loader.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Users\Admin\AppData\Local\Temp\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:808
    - - C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        7⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        8⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        9⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        10⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        11⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        12⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        13⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        14⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        15⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        16⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        17⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        18⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        19⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        20⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        21⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        22⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        23⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        24⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        25⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        26⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        27⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        28⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        29⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        30⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        31⤵
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        32⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        33⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        34⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        35⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        36⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        37⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        38⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        39⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        40⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        41⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        42⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        43⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        44⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        45⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        46⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        47⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        48⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        49⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        50⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        51⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        52⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        53⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        54⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        55⤵
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        56⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        57⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        58⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        59⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        60⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        61⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        62⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        63⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        64⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        65⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        66⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        67⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        68⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        69⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        69⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        68⤵
        
        PID:1504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        69⤵
        
        PID:3968
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        70⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        67⤵
        
        PID:3108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        68⤵
        
        PID:1604
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        69⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFAD1.tmp.bat""
        68⤵
        
        PID:2368
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        69⤵
        Delays execution with timeout.exe
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        66⤵
        
        PID:3452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        67⤵
        
        PID:3940
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        68⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF1C9.tmp.bat""
        67⤵
        
        PID:4216
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        68⤵
        Delays execution with timeout.exe
        
        PID:4464
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        68⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        65⤵
        
        PID:1036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        66⤵
        
        PID:4452
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        67⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:72
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE8D0.tmp.bat""
        66⤵
        
        PID:3600
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        67⤵
        Delays execution with timeout.exe
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        64⤵
        
        PID:1404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        65⤵
        
        PID:4968
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        66⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE035.tmp.bat""
        65⤵
        
        PID:3564
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        66⤵
        Delays execution with timeout.exe
        
        PID:3300
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        66⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        63⤵
        
        PID:4304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        64⤵
        
        PID:1352
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        65⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD75B.tmp.bat""
        64⤵
        
        PID:1308
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        65⤵
        Delays execution with timeout.exe
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        65⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        62⤵
        
        PID:3164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        63⤵
        
        PID:3160
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        64⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCE52.tmp.bat""
        63⤵
        
        PID:4016
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        64⤵
        Delays execution with timeout.exe
        
        PID:3540
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        64⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        61⤵
        
        PID:2016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        62⤵
        
        PID:3832
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        63⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC5A8.tmp.bat""
        62⤵
        
        PID:4868
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        63⤵
        Delays execution with timeout.exe
        
        PID:1152
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        63⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        60⤵
        
        PID:736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        61⤵
        
        PID:3772
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        62⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBCAF.tmp.bat""
        61⤵
        
        PID:3392
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        62⤵
        Delays execution with timeout.exe
        
        PID:1696
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        62⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        59⤵
        
        PID:4444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        60⤵
        
        PID:3040
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        61⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB4A0.tmp.bat""
        60⤵
        
        PID:1752
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        61⤵
        Delays execution with timeout.exe
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        61⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        58⤵
        
        PID:1952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        59⤵
        
        PID:2992
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        60⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpABF6.tmp.bat""
        59⤵
        
        PID:2472
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        60⤵
        Delays execution with timeout.exe
        
        PID:1468
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        60⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        57⤵
        
        PID:2308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        58⤵
        
        PID:3340
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        59⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA33B.tmp.bat""
        58⤵
        
        PID:2444
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        59⤵
        Delays execution with timeout.exe
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        59⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        56⤵
        
        PID:1992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        57⤵
        
        PID:2360
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        58⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9AFE.tmp.bat""
        57⤵
        
        PID:2656
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        58⤵
        Delays execution with timeout.exe
        
        PID:3184
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        58⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        55⤵
        
        PID:720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        56⤵
        
        PID:2720
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        57⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9234.tmp.bat""
        56⤵
        
        PID:1112
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        57⤵
        Delays execution with timeout.exe
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        57⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        54⤵
        
        PID:1588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        55⤵
        
        PID:3032
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        56⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp89D7.tmp.bat""
        55⤵
        
        PID:3296
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        56⤵
        Delays execution with timeout.exe
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        56⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        53⤵
        
        PID:4652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        54⤵
        
        PID:3764
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        55⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp80EE.tmp.bat""
        54⤵
        
        PID:3664
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        55⤵
        Delays execution with timeout.exe
        
        PID:3368
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        55⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        52⤵
        
        PID:2004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        53⤵
        
        PID:3128
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        54⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7882.tmp.bat""
        53⤵
        
        PID:2304
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        54⤵
        Delays execution with timeout.exe
        
        PID:400
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        54⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        51⤵
        
        PID:2040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        52⤵
        
        PID:4164
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6FC7.tmp.bat""
        52⤵
        
        PID:3824
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        53⤵
        Delays execution with timeout.exe
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        53⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        50⤵
        
        PID:696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        51⤵
        
        PID:2904
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        52⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp66EE.tmp.bat""
        51⤵
        
        PID:3588
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        52⤵
        Delays execution with timeout.exe
        
        PID:1888
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        52⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        49⤵
        
        PID:1876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        50⤵
        
        PID:2524
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        51⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5E81.tmp.bat""
        50⤵
        
        PID:1688
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        51⤵
        Delays execution with timeout.exe
        
        PID:756
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        51⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        48⤵
        
        PID:4132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        49⤵
        
        PID:1352
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        50⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp55C7.tmp.bat""
        49⤵
        
        PID:4420
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        50⤵
        Delays execution with timeout.exe
        
        PID:1924
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        50⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        47⤵
        
        PID:432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        48⤵
        
        PID:1340
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        49⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4D0D.tmp.bat""
        48⤵
        
        PID:2308
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        49⤵
        Delays execution with timeout.exe
        
        PID:3092
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        49⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        46⤵
        
        PID:3624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        47⤵
        
        PID:1136
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        48⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4472.tmp.bat""
        47⤵
        
        PID:3500
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        48⤵
        Delays execution with timeout.exe
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        48⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        45⤵
        
        PID:1696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        46⤵
        
        PID:3420
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        47⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3BF6.tmp.bat""
        46⤵
        
        PID:2356
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        47⤵
        Delays execution with timeout.exe
        
        PID:3516
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        47⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        44⤵
        
        PID:2996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        45⤵
        
        PID:2276
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        46⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3399.tmp.bat""
        45⤵
        
        PID:2844
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        46⤵
        Delays execution with timeout.exe
        
        PID:3096
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        46⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        43⤵
        
        PID:2476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        44⤵
        
        PID:2164
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        45⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2B3C.tmp.bat""
        44⤵
        
        PID:3832
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        45⤵
        Delays execution with timeout.exe
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        45⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        42⤵
        
        PID:1576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        43⤵
        
        PID:4604
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        44⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp22B1.tmp.bat""
        43⤵
        
        PID:2536
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        44⤵
        Delays execution with timeout.exe
        
        PID:1832
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        44⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        41⤵
        
        PID:3596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        42⤵
        
        PID:3720
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        43⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1A16.tmp.bat""
        42⤵
        
        PID:3812
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        43⤵
        Delays execution with timeout.exe
        
        PID:4188
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        43⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        40⤵
        
        PID:3328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        41⤵
        
        PID:2272
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        42⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp114C.tmp.bat""
        41⤵
        
        PID:3088
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        42⤵
        Delays execution with timeout.exe
        
        PID:4592
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        42⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        39⤵
        
        PID:3632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        40⤵
        
        PID:1340
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        41⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8D0.tmp.bat""
        40⤵
        
        PID:3912
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        41⤵
        Delays execution with timeout.exe
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        41⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        38⤵
        
        PID:796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        39⤵
        
        PID:2804
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        40⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA2.tmp.bat""
        39⤵
        
        PID:4980
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        40⤵
        Delays execution with timeout.exe
        
        PID:3324
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        40⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        37⤵
        
        PID:3316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        38⤵
        
        PID:4464
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        39⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF7D8.tmp.bat""
        38⤵
        
        PID:3696
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        39⤵
        Delays execution with timeout.exe
        
        PID:920
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        39⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        36⤵
        
        PID:3924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        37⤵
        
        PID:1944
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        38⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEEFF.tmp.bat""
        37⤵
        
        PID:4932
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        38⤵
        Delays execution with timeout.exe
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        38⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        36⤵
        
        PID:3668
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        37⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE663.tmp.bat""
        36⤵
        
        PID:3876
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        37⤵
        Delays execution with timeout.exe
        
        PID:3988
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        37⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        35⤵
        
        PID:4968
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        36⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDDA9.tmp.bat""
        35⤵
        
        PID:620
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        36⤵
        Delays execution with timeout.exe
        
        PID:4472
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        36⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        34⤵
        
        PID:3736
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD4DF.tmp.bat""
        34⤵
        
        PID:416
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        35⤵
        Delays execution with timeout.exe
        
        PID:72
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        33⤵
        
        PID:4172
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        34⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCC63.tmp.bat""
        33⤵
        
        PID:1700
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        34⤵
        Delays execution with timeout.exe
        
        PID:1068
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        32⤵
        
        PID:3880
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC3A9.tmp.bat""
        32⤵
        
        PID:4348
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        33⤵
        Delays execution with timeout.exe
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        31⤵
        
        PID:4272
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        32⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBB7B.tmp.bat""
        31⤵
        
        PID:5048
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        32⤵
        Delays execution with timeout.exe
        
        PID:3132
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        30⤵
        
        PID:3096
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB2C1.tmp.bat""
        30⤵
        
        PID:2804
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        31⤵
        Delays execution with timeout.exe
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        29⤵
        
        PID:1584
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAA45.tmp.bat""
        29⤵
        
        PID:4576
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        30⤵
        Delays execution with timeout.exe
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        28⤵
        
        PID:3172
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA207.tmp.bat""
        28⤵
        
        PID:656
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        29⤵
        Delays execution with timeout.exe
        
        PID:1844
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        27⤵
        
        PID:1924
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        28⤵
        
        PID:3532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp995D.tmp.bat""
        27⤵
        
        PID:1380
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        28⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        26⤵
        
        PID:2248
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp90A2.tmp.bat""
        26⤵
        
        PID:1228
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        27⤵
        Delays execution with timeout.exe
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        25⤵
        
        PID:3408
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp87E8.tmp.bat""
        25⤵
        
        PID:932
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        26⤵
        Delays execution with timeout.exe
        
        PID:3748
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        24⤵
        
        PID:4980
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7FAB.tmp.bat""
        24⤵
        
        PID:4244
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        25⤵
        Delays execution with timeout.exe
        
        PID:4716
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        23⤵
        
        PID:2976
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp76F0.tmp.bat""
        23⤵
        
        PID:4268
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        24⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        22⤵
        
        PID:3420
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6E36.tmp.bat""
        22⤵
        
        PID:4504
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        23⤵
        Delays execution with timeout.exe
        
        PID:4736
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        21⤵
        
        PID:2116
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp65AA.tmp.bat""
        21⤵
        
        PID:4948
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        22⤵
        Delays execution with timeout.exe
        
        PID:3764
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        20⤵
        
        PID:4704
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        21⤵
        
        PID:4408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5D00.tmp.bat""
        20⤵
        
        PID:2112
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        21⤵
        Delays execution with timeout.exe
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        19⤵
        
        PID:3244
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5445.tmp.bat""
        19⤵
        
        PID:2212
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        20⤵
        Delays execution with timeout.exe
        
        PID:4996
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        18⤵
        
        PID:3260
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4B9A.tmp.bat""
        18⤵
        
        PID:1708
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        19⤵
        Delays execution with timeout.exe
        
        PID:1060
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        17⤵
        
        PID:3416
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        18⤵
        
        PID:920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp431F.tmp.bat""
        17⤵
        
        PID:240
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        18⤵
        Delays execution with timeout.exe
        
        PID:3892
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        18⤵
        Executes dropped EXE
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        16⤵
        
        PID:2388
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3AD2.tmp.bat""
        16⤵
        
        PID:3296
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        17⤵
        Delays execution with timeout.exe
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        15⤵
        
        PID:1284
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3265.tmp.bat""
        15⤵
        
        PID:2304
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        16⤵
        Delays execution with timeout.exe
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        14⤵
        
        PID:1928
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp296C.tmp.bat""
        14⤵
        
        PID:244
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        15⤵
        Delays execution with timeout.exe
        
        PID:3816
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        13⤵
        
        PID:5040
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp213F.tmp.bat""
        13⤵
        
        PID:3876
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        14⤵
        Delays execution with timeout.exe
        
        PID:3172
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        12⤵
        
        PID:1212
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1894.tmp.bat""
        12⤵
        
        PID:1968
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        13⤵
        Delays execution with timeout.exe
        
        PID:1436
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        11⤵
        
        PID:3104
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFE9.tmp.bat""
        11⤵
        
        PID:3532
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        12⤵
        Delays execution with timeout.exe
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        10⤵
        
        PID:2812
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp77D.tmp.bat""
        10⤵
        
        PID:4348
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        11⤵
        Delays execution with timeout.exe
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        9⤵
        
        PID:4008
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFEB3.tmp.bat""
        9⤵
        
        PID:1916
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        10⤵
        Delays execution with timeout.exe
        
        PID:3324
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        8⤵
        
        PID:4652
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF608.tmp.bat""
        8⤵
        
        PID:4220
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        9⤵
        Delays execution with timeout.exe
        
        PID:1440
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3848
      - C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpED7D.tmp.bat""
        7⤵
        
        PID:3988
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:428
    - - C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2076
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE4E2.tmp.bat""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
  - - C:\Users\Admin\AppData\Local\Temp\Load.exe
      "C:\Users\Admin\AppData\Local\Temp\Load.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4888
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1204
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDC27.tmp.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2416
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:4420
      - C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
- - C:\Users\Admin\AppData\Local\Temp\Load.exe
    "C:\Users\Admin\AppData\Local\Temp\Load.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3156
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD428.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1952
    - - C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4548
- C:\Users\Admin\AppData\Local\Temp\Load.exe
  "C:\Users\Admin\AppData\Local\Temp\Load.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4236
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC880.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Load.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Load.exe

Filesize
74KB

MD5
4fc5086bcb8939429aea99f7322e619b

SHA1
8d3bd7d005710a8ae0bd0143d18b437be20018d7

SHA256
e31d6dc4d6f89573321f389c5b3f12838545ff8d2f1380cfba1782d39853e9fd

SHA512
04e230f5b39356aecf4732ac9a2f4fea96e51018907e2f22c7e3f22e51188b64cdb3e202fe324f5e3500761fae43f898bf9489aa8faa34eff3566e1119a786d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1894.tmp.bat

Filesize
148B

MD5
70032832fb30cae4395412785ada1afc

SHA1
eb0c169aa34ba6f08975fe2b9b86408fd0379feb

SHA256
7649bf5692826f00c2ee3a7fbd8f485175f040b36e5c80e17de732913a1cb57f

SHA512
1cfbd079d1e6b00ef59d9180b6fd14c2a16ea73de70499b435680cab1319604da0b19526efa68e635556c0289f0a3b9b66f3e4543b047664945a3477ad77659f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp213F.tmp.bat

Filesize
148B

MD5
f187a8b0566e7ba7ac71d8ef3007cbad

SHA1
2e445a86ffd6f1ec2ec4b520c6cbd90e60d96c8f

SHA256
76b473d2e0b984bc351094c42a88010ab5124c3ad13533ebe54df4142bca57ab

SHA512
cf0c788f0eab29b661388c7861102ff558052cd0d6854288b85544c28069bc0880a1cee89839e4639affb9ca5f1a9437114bc3fd7753d8aad99c43264ae39a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp296C.tmp.bat

Filesize
148B

MD5
f373a99585f1c261334e5c6a28be0c65

SHA1
856c8d2e501e9280eaec2f6a0b19ca44421584dd

SHA256
df837164c2659b143287f5a02470add5e702f02cd45fd65150bf36f845124fc0

SHA512
c21ef0083d4b32e8d488cb35d1e604aef50b9a62afc1a4a56c2873009c609aa7b4901d7dc8921eb452558f0e5af4c4b2819736d59affaf19a798fae7faef5764

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3265.tmp.bat

Filesize
148B

MD5
fff8ec54229e859454fbc1db7ea87b2c

SHA1
560a42953498984a9bec5ef34f4d7f01f1f8422a

SHA256
698bb03d2019ae6df25846f546b7cc0101941bf4471974e01596d404885ab0ee

SHA512
92ea64e5a8023a4cc92a5ca76933023ed1738ad7d9cc45a821ac23c447f896b429b586f2b6fde5e5e6d6d36fc05ed458e4d49ad53b7bfb58c3436169d4d7e794

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3AD2.tmp.bat

Filesize
148B

MD5
c0a689e3b28825f39a6aca0c4daa7089

SHA1
26054ed42209d3447cccf0bb9ae4f3b78baea7a8

SHA256
097ad97b0c15958112090cba884bf02cd10809dbf141afa299d4ce78fa2a7115

SHA512
be84c2f52d9aec946b4c6cf9d89851d647dbc1857c775a4dba2d8e8a6876bd48d00c971f144748c0beecf25e2dc3ef4d8945770521851b24266ef48ee4367c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp431F.tmp.bat

Filesize
148B

MD5
f5fbf2d18f907ad893bf9e9a92bf0f75

SHA1
7c567339df13c7ee989c55aaa332811fe97c8174

SHA256
95763c7fd976ba040a60b946914603dac39f7d4e7502c40ecfe99048c48fc506

SHA512
b7ad66bbe47f8f679cf9b22db5c8e8ac1620a919a3a0f72866602e631e4326f4b11e581eeb17ae3a8854142d43d9b735ccc0231e4a5f9c448f6d7b90e1ffc949

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp77D.tmp.bat

Filesize
147B

MD5
76191ede829e470d230eef9b31af2372

SHA1
a18c7ab965d6cf65273563fb1f4f170439f52667

SHA256
687083d581fec9133dbb99fc82b0b44a8507f04e06c86f07f1292b7719ff6c4d

SHA512
de7247d3793604d6552fdc6cf2de5dc2a16f61c3bfe70a8fc1c3b86b0c6bfe227858cdefe3ca8b046a80e4a9f5ae56e61f7228837d159499d72815ba0cdef082

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC880.tmp.bat

Filesize
148B

MD5
d8c034086c8768473b20a343c848dc69

SHA1
8e551dd162214240289a64a7d654fd41079d783d

SHA256
80e2e34f3ac25b3b39d95e7e4326a4125e7335a0ab1325bde2a05fffaaace62d

SHA512
aac92883dcc06886452a6454bec0f3a624d90b0ccfa26c0ce608095de6579c85eaac32e86e5beed71924c923ceedbe3b54f6a6c9a1adac462008e960f112d2c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD428.tmp.bat

Filesize
148B

MD5
8cd0c9eda2ea7c46df0565d9fe98ed66

SHA1
01ab3cd1f1bc7609941db300742677ba915f3e7d

SHA256
5662578fccc977396504aefe280ad57e408226a819be38f8a2eca18f092b297d

SHA512
30fb7f88d2985a46b1ae525e2069adff3b9a7a04dc66e5d97da1293a8e3a8bad070091ec190d03d9b5670d8539e91b19f25e3a2bbd5a97db2eee74db03685b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDC27.tmp.bat

Filesize
148B

MD5
29cc95c37de9d36351e4f198086b04e3

SHA1
f6ca1181c12f3ce91b9e7701ae0fad94205cb7a9

SHA256
359888e5d0a420070518baac501590225dfbf901710587dc01b579c0e5e24db0

SHA512
1fc96411a6f0543563afa8afb0dbf45d1c4ae62372bbaad66d1116569266f97e4ed33bb2537af970f1d0663b7ab45a97dcec7717aed6f716508aa4a28d086760

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE4E2.tmp.bat

Filesize
148B

MD5
95193e501a8754b567edc3892981aeac

SHA1
4406907e38fd1a72f73ac2b69b85ac5e36db0e4b

SHA256
0ea27d7ba91ef524b46730fc23f8987b73964863983195613b0c720715a24662

SHA512
a3b952ce8bd4df756f76bf9b375bd522ee175fd3a362eecde87c79ac9ddcd79dfaf89f474aa06727da857f28ac50e6b0f7a7c4db3e72e197b5a5f983a0eb9ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpED7D.tmp.bat

Filesize
148B

MD5
0e11d76d7267409ef6edc256eb612459

SHA1
76d49da97bf41241d701414fa0caf1ca9605c502

SHA256
9d5002ffcbf82f19fd5d250f515e52fa2cdc4c200d33eb6780a7009318252cab

SHA512
a8c63874f9e3815e538877e8dfcdca1585086709fca44b4043f952a47056eab792de2fbc088ec41e339b5ce481184fbefd5a57ab50aeee92d67e0ffb8e0792e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF608.tmp.bat

Filesize
148B

MD5
fedae5c8908bb8b540f57dd19477468c

SHA1
78f94093e743028fd8e0109ac4f8289dc6b6d0a9

SHA256
0e84b8e8be178b9216dadb1d006218a8fdce3d92db62eb00588f0fa24a04dc61

SHA512
0cb60ffe3aa7b934e8288f57734bf02e3fb37ec4c6c399fdcf0e962c768218c5d40ceaafb0dfe4eaf86e125a91b1edb1e8f9226a1f5688525cf05a1cc8649a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFE9.tmp.bat

Filesize
147B

MD5
36b927f9d2d97f7d7ae1e99624eff89f

SHA1
cae5e6c639e4a50d5828ec02d6861abd207d9385

SHA256
2824dccffef77e018599c7e4c90742c112e0ff4c64547b76f080f203ac8da3df

SHA512
50cea549078d7f705406edc0f1946610b98d86045d41c2432132d871d953157bfac7f4c4575dccec85a24f81d650dc90a0d1626b11fc7e72117afa423ff11b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFEB3.tmp.bat

Filesize
148B

MD5
512c30a8e13adf5bec3580662ef9a702

SHA1
e4e3ed1583d44ba7a91b3179a7c933dc7c149798

SHA256
f56e439d9aaaf433aae1aaed5adc4be5b6772f6e01dc2fa72272fc6acee2f653

SHA512
bcf5fff2bb27a462081bd3c38e3b950613865cdbccf66d1c005cac773e846265bdb1f07cc9d13a25fac8166f96f8a207057929770c96443b7d3f9a4f51070400

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/1084-0-0x00007FF8EB633000-0x00007FF8EB635000-memory.dmp

Filesize
8KB

Download
memory/1084-16-0x00007FF8EB630000-0x00007FF8EC0F2000-memory.dmp

Filesize
10.8MB

Download
memory/1084-2-0x00007FF8EB630000-0x00007FF8EC0F2000-memory.dmp

Filesize
10.8MB

Download
memory/1084-1-0x00000000000C0000-0x00000000002DA000-memory.dmp

Filesize
2.1MB

Download
memory/1972-40-0x00007FF8EB630000-0x00007FF8EC0F2000-memory.dmp

Filesize
10.8MB

Download
memory/1972-15-0x00007FF8EB630000-0x00007FF8EC0F2000-memory.dmp

Filesize
10.8MB

Download
memory/4340-24-0x00007FF8EB630000-0x00007FF8EC0F2000-memory.dmp

Filesize
10.8MB

Download
memory/4340-19-0x00007FF8EB630000-0x00007FF8EC0F2000-memory.dmp

Filesize
10.8MB

Download
memory/4340-17-0x0000000000DC0000-0x0000000000DD8000-memory.dmp

Filesize
96KB

Download