asyncrat | 3c65766763fc26ba80bd11313a587f3e3206f9ba3fea6a39decd66a700cc9213

Analysis

max time kernel
149s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
15-12-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EU.exe
Size

2.1MB
MD5

84714242749ee3c7f626d1e9684e391a
SHA1

f17abb2ab4ff1bb08360420c73e4d9496045ac1e
SHA256

3c65766763fc26ba80bd11313a587f3e3206f9ba3fea6a39decd66a700cc9213
SHA512

513010ecf933aaa85ae887b59aa03b8ddebc406cdd9ae3b889fdb2768ab33e363f81d17813e5caefe42e57162b45a81097a95723345e232b288be432150b4a28
SSDEEP

49152:n2mx9FhsvlnBh5WYNo4QP6Dc3V0bO2EYTRIagYDitK/z5:n2m9WTNopCDc3V0bJE6RrHiE/z

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

193.161.193.99:53757

Mutex

hsaurcrgqwhjimnkbht

Attributes

delay
1
install
true
install_file
Load.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x004b00000002aac0-17.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2368	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk	Done.exe

Executes dropped EXE 64 IoCs

pid	Process
4208	Done.exe
4976	Load.exe
2596	Done.exe
1188	Load.exe
572	apihost.exe
1648	Done.exe
1108	Load.exe
2304	Done.exe
1120	Load.exe
2284	Done.exe
972	Load.exe
4476	Load.exe
1216	Done.exe
3916	Load.exe
1764	Load.exe
2152	Done.exe
3508	Load.exe
3524	Load.exe
2128	Done.exe
2896	Load.exe
1336	Load.exe
4900	Done.exe
4764	Load.exe
1108	Load.exe
4104	Done.exe
4712	Load.exe
5072	Load.exe
4772	Done.exe
4912	Load.exe
572	Load.exe
2164	Done.exe
2408	Load.exe
2212	Load.exe
2940	Done.exe
1496	Load.exe
3916	Load.exe
332	Done.exe
752	Load.exe
1992	Load.exe
1460	Done.exe
1436	Load.exe
3496	Load.exe
1992	Done.exe
1524	Load.exe
4284	Load.exe
1348	Done.exe
3980	Load.exe
2892	Done.exe
1360	Load.exe
4812	Load.exe
3204	Done.exe
2572	Load.exe
2524	Done.exe
5068	Load.exe
1756	Load.exe
1992	Done.exe
580	Load.exe
3668	Load.exe
2644	Done.exe
4712	Load.exe
3328	Load.exe
4060	Done.exe
2664	Load.exe
400	Load.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apihost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4936	TRACERT.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
4080	timeout.exe
716	timeout.exe
720	timeout.exe
572	timeout.exe
3536	timeout.exe
4824	timeout.exe
3104	timeout.exe
2072	timeout.exe
4736	timeout.exe
4284	timeout.exe
1772	timeout.exe
4932	timeout.exe
2896	timeout.exe
4912	timeout.exe
4892	timeout.exe
2336	timeout.exe
912	timeout.exe
4328	timeout.exe
3024	timeout.exe
4788	timeout.exe
1532	timeout.exe
3432	timeout.exe
3128	timeout.exe
2780	timeout.exe
1604	timeout.exe
4348	timeout.exe
648	timeout.exe
2024	timeout.exe
2128	timeout.exe
5016	timeout.exe
4692	timeout.exe
3576	timeout.exe
2340	timeout.exe
5048	timeout.exe
2872	timeout.exe
2436	timeout.exe
4932	timeout.exe
2892	timeout.exe
1504	timeout.exe
416	timeout.exe
1668	timeout.exe
3144	timeout.exe
3104	timeout.exe
436	timeout.exe
4996	timeout.exe
1604	timeout.exe
4908	timeout.exe
1532	timeout.exe
4500	timeout.exe
572	timeout.exe
3456	timeout.exe
2896	timeout.exe
4748	timeout.exe
2904	timeout.exe
3128	timeout.exe
4432	timeout.exe
5072	timeout.exe
2896	timeout.exe
4848	timeout.exe
780	timeout.exe
1596	timeout.exe
4884	timeout.exe
1436	timeout.exe
2892	timeout.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	taskmgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1080	schtasks.exe
2284	schtasks.exe
940	schtasks.exe
2100	schtasks.exe
3052	schtasks.exe
4788	schtasks.exe
3084	schtasks.exe
2560	schtasks.exe
4832	schtasks.exe
1992	schtasks.exe
400	schtasks.exe
3928	schtasks.exe
3592	schtasks.exe
4420	schtasks.exe
3664	schtasks.exe
1100	schtasks.exe
3844	schtasks.exe
1040	schtasks.exe
3920	schtasks.exe
4780	schtasks.exe
4020	schtasks.exe
3140	schtasks.exe
3188	schtasks.exe
3760	schtasks.exe
5052	schtasks.exe
2440	schtasks.exe
436	schtasks.exe
2896	schtasks.exe
3360	schtasks.exe
2304	schtasks.exe
2164	schtasks.exe
4208	schtasks.exe
2624	schtasks.exe
2072	schtasks.exe
3760	schtasks.exe
5068	schtasks.exe
4832	schtasks.exe
716	schtasks.exe
2056	schtasks.exe
2560	schtasks.exe
2936	schtasks.exe
4936	schtasks.exe
1836	schtasks.exe
1928	schtasks.exe
3900	schtasks.exe
1292	schtasks.exe
2784	schtasks.exe
1676	schtasks.exe
4496	schtasks.exe
1932	schtasks.exe
3504	schtasks.exe
380	schtasks.exe
3640	schtasks.exe
2560	schtasks.exe
3884	schtasks.exe
1584	schtasks.exe
1856	schtasks.exe
4420	schtasks.exe
4832	schtasks.exe
4824	schtasks.exe
1708	schtasks.exe
1512	schtasks.exe
3360	schtasks.exe
2548	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2596	Done.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4976	Load.exe
4976	Load.exe
4976	Load.exe
4976	Load.exe
4976	Load.exe
4976	Load.exe
4976	Load.exe
4976	Load.exe
4976	Load.exe
4976	Load.exe
4976	Load.exe
4976	Load.exe
4976	Load.exe
4976	Load.exe
4976	Load.exe
4976	Load.exe
4976	Load.exe
2368	powershell.exe
2368	powershell.exe
1188	Load.exe
1188	Load.exe
1188	Load.exe
1188	Load.exe
1188	Load.exe
1188	Load.exe
1188	Load.exe
1188	Load.exe
1188	Load.exe
1188	Load.exe
1188	Load.exe
1188	Load.exe
1188	Load.exe
1188	Load.exe
1188	Load.exe
1188	Load.exe
1188	Load.exe
1108	Load.exe
1108	Load.exe
1108	Load.exe
1108	Load.exe
1108	Load.exe
1108	Load.exe
1108	Load.exe
1108	Load.exe
1108	Load.exe
1108	Load.exe
1108	Load.exe
1108	Load.exe
1108	Load.exe
1108	Load.exe
1108	Load.exe
1108	Load.exe
1108	Load.exe
1120	Load.exe
1120	Load.exe
1120	Load.exe
1120	Load.exe
1120	Load.exe
1120	Load.exe
1120	Load.exe
1120	Load.exe
1120	Load.exe
1120	Load.exe
1120	Load.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4736	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4976	Load.exe
Token: SeDebugPrivilege	1188	Load.exe
Token: SeDebugPrivilege	4208	Done.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2596	Done.exe
Token: SeDebugPrivilege	1108	Load.exe
Token: SeDebugPrivilege	1120	Load.exe
Token: SeDebugPrivilege	972	Load.exe
Token: SeDebugPrivilege	4476	Load.exe
Token: SeDebugPrivilege	3916	Load.exe
Token: SeDebugPrivilege	1764	Load.exe
Token: SeDebugPrivilege	3508	Load.exe
Token: SeDebugPrivilege	3524	Load.exe
Token: SeDebugPrivilege	2896	Load.exe
Token: SeDebugPrivilege	1336	Load.exe
Token: SeDebugPrivilege	4764	Load.exe
Token: SeDebugPrivilege	1108	Load.exe
Token: SeDebugPrivilege	4712	Load.exe
Token: SeDebugPrivilege	5072	Load.exe
Token: SeDebugPrivilege	4912	Load.exe
Token: SeDebugPrivilege	572	Load.exe
Token: SeDebugPrivilege	2408	Load.exe
Token: SeDebugPrivilege	2212	Load.exe
Token: SeDebugPrivilege	1496	Load.exe
Token: SeDebugPrivilege	3916	Load.exe
Token: SeDebugPrivilege	752	Load.exe
Token: SeDebugPrivilege	1992	Load.exe
Token: SeDebugPrivilege	1436	Load.exe
Token: SeDebugPrivilege	3496	Load.exe
Token: SeDebugPrivilege	1524	Load.exe
Token: SeDebugPrivilege	4284	Load.exe
Token: SeDebugPrivilege	3980	Load.exe
Token: SeDebugPrivilege	1360	Load.exe
Token: SeDebugPrivilege	4812	Load.exe
Token: SeDebugPrivilege	2572	Load.exe
Token: SeDebugPrivilege	5068	Load.exe
Token: SeDebugPrivilege	1756	Load.exe
Token: SeDebugPrivilege	580	Load.exe
Token: SeDebugPrivilege	3668	Load.exe
Token: SeDebugPrivilege	4712	Load.exe
Token: SeDebugPrivilege	3328	Load.exe
Token: SeDebugPrivilege	2664	Load.exe
Token: SeDebugPrivilege	400	Load.exe
Token: SeDebugPrivilege	912	Load.exe
Token: SeDebugPrivilege	780	Load.exe
Token: SeDebugPrivilege	4260	Load.exe
Token: SeDebugPrivilege	3616	Load.exe
Token: SeDebugPrivilege	3980	Load.exe
Token: SeDebugPrivilege	4940	Load.exe
Token: SeDebugPrivilege	1136	Load.exe
Token: SeDebugPrivilege	984	Load.exe
Token: SeDebugPrivilege	2864	Load.exe
Token: SeDebugPrivilege	1100	Load.exe
Token: SeDebugPrivilege	3364	Load.exe
Token: SeDebugPrivilege	2376	Load.exe
Token: SeDebugPrivilege	3028	Load.exe
Token: SeDebugPrivilege	4344	Load.exe
Token: SeDebugPrivilege	2480	Load.exe
Token: SeDebugPrivilege	3500	Load.exe
Token: SeDebugPrivilege	3632	Load.exe
Token: SeDebugPrivilege	4316	Load.exe
Token: SeDebugPrivilege	4256	Load.exe
Token: SeDebugPrivilege	1340	Load.exe
Token: SeDebugPrivilege	4528	Load.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe

Suspicious use of SendNotifyMessage 50 IoCs

pid	Process
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4736	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 4208	2308	EU.exe	77
PID 2308 wrote to memory of 4208	2308	EU.exe	77
PID 2308 wrote to memory of 4208	2308	EU.exe	77
PID 2308 wrote to memory of 4976	2308	EU.exe	78
PID 2308 wrote to memory of 4976	2308	EU.exe	78
PID 2308 wrote to memory of 3176	2308	EU.exe	79
PID 2308 wrote to memory of 3176	2308	EU.exe	79
PID 4976 wrote to memory of 4940	4976	Load.exe	80
PID 4976 wrote to memory of 4940	4976	Load.exe	80
PID 4976 wrote to memory of 3540	4976	Load.exe	82
PID 4976 wrote to memory of 3540	4976	Load.exe	82
PID 3540 wrote to memory of 4884	3540	cmd.exe	85
PID 3540 wrote to memory of 4884	3540	cmd.exe	85
PID 4940 wrote to memory of 2056	4940	cmd.exe	84
PID 4940 wrote to memory of 2056	4940	cmd.exe	84
PID 3176 wrote to memory of 2596	3176	EU.exe	86
PID 3176 wrote to memory of 2596	3176	EU.exe	86
PID 3176 wrote to memory of 2596	3176	EU.exe	86
PID 3176 wrote to memory of 1188	3176	EU.exe	87
PID 3176 wrote to memory of 1188	3176	EU.exe	87
PID 3176 wrote to memory of 1140	3176	EU.exe	88
PID 3176 wrote to memory of 1140	3176	EU.exe	88
PID 4208 wrote to memory of 380	4208	Done.exe	89
PID 4208 wrote to memory of 380	4208	Done.exe	89
PID 4208 wrote to memory of 380	4208	Done.exe	89
PID 4208 wrote to memory of 2368	4208	Done.exe	90
PID 4208 wrote to memory of 2368	4208	Done.exe	90
PID 4208 wrote to memory of 2368	4208	Done.exe	90
PID 4208 wrote to memory of 572	4208	Done.exe	93
PID 4208 wrote to memory of 572	4208	Done.exe	93
PID 4208 wrote to memory of 572	4208	Done.exe	93
PID 1188 wrote to memory of 3108	1188	Load.exe	94
PID 1188 wrote to memory of 3108	1188	Load.exe	94
PID 3108 wrote to memory of 5068	3108	cmd.exe	96
PID 3108 wrote to memory of 5068	3108	cmd.exe	96
PID 1140 wrote to memory of 1648	1140	EU.exe	97
PID 1140 wrote to memory of 1648	1140	EU.exe	97
PID 1140 wrote to memory of 1648	1140	EU.exe	97
PID 1140 wrote to memory of 1108	1140	EU.exe	98
PID 1140 wrote to memory of 1108	1140	EU.exe	98
PID 1140 wrote to memory of 4692	1140	EU.exe	99
PID 1140 wrote to memory of 4692	1140	EU.exe	99
PID 1188 wrote to memory of 4784	1188	Load.exe	100
PID 1188 wrote to memory of 4784	1188	Load.exe	100
PID 4784 wrote to memory of 1436	4784	cmd.exe	102
PID 4784 wrote to memory of 1436	4784	cmd.exe	102
PID 1108 wrote to memory of 4436	1108	Load.exe	103
PID 1108 wrote to memory of 4436	1108	Load.exe	103
PID 4436 wrote to memory of 2164	4436	cmd.exe	105
PID 4436 wrote to memory of 2164	4436	cmd.exe	105
PID 4692 wrote to memory of 2304	4692	EU.exe	106
PID 4692 wrote to memory of 2304	4692	EU.exe	106
PID 4692 wrote to memory of 2304	4692	EU.exe	106
PID 4692 wrote to memory of 1120	4692	EU.exe	107
PID 4692 wrote to memory of 1120	4692	EU.exe	107
PID 4692 wrote to memory of 4500	4692	EU.exe	108
PID 4692 wrote to memory of 4500	4692	EU.exe	108
PID 1108 wrote to memory of 4336	1108	Load.exe	109
PID 1108 wrote to memory of 4336	1108	Load.exe	109
PID 4336 wrote to memory of 5048	4336	cmd.exe	111
PID 4336 wrote to memory of 5048	4336	cmd.exe	111
PID 1120 wrote to memory of 4032	1120	Load.exe	112
PID 1120 wrote to memory of 4032	1120	Load.exe	112
PID 4032 wrote to memory of 3928	4032	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\EU.exe
"C:\Users\Admin\AppData\Local\Temp\EU.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\Done.exe
  "C:\Users\Admin\AppData\Local\Temp\Done.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Local\ACCApi\apihost.exe" /st 12:58 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\ACCApi'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2368
- - C:\Users\Admin\AppData\Local\ACCApi\apihost.exe
    "C:\Users\Admin\AppData\Local\ACCApi\apihost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:572
- C:\Users\Admin\AppData\Local\Temp\Load.exe
  "C:\Users\Admin\AppData\Local\Temp\Load.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB853.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4884
- C:\Users\Admin\AppData\Local\Temp\EU.exe
  "C:\Users\Admin\AppData\Local\Temp\EU.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Users\Admin\AppData\Local\Temp\Done.exe
    "C:\Users\Admin\AppData\Local\Temp\Done.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Users\Admin\AppData\Local\Temp\Load.exe
    "C:\Users\Admin\AppData\Local\Temp\Load.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3108
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC4A8.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4784
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1436
- - C:\Users\Admin\AppData\Local\Temp\EU.exe
    "C:\Users\Admin\AppData\Local\Temp\EU.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\Done.exe
      "C:\Users\Admin\AppData\Local\Temp\Done.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\Load.exe
      "C:\Users\Admin\AppData\Local\Temp\Load.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4436
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2164
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCED9.tmp.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4336
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:5048
      - C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
  - - C:\Users\Admin\AppData\Local\Temp\EU.exe
      "C:\Users\Admin\AppData\Local\Temp\EU.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2304
    - - C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1120
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3928
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD745.tmp.bat""
        6⤵
        
        PID:5060
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
    - - C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        5⤵
        
        PID:4500
      - C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2284
      - C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        7⤵
        
        PID:1592
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDFB1.tmp.bat""
        7⤵
        
        PID:4772
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:912
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
      - C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        6⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        8⤵
        
        PID:4800
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE7C0.tmp.bat""
        8⤵
        
        PID:3468
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        9⤵
        Delays execution with timeout.exe
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        7⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        9⤵
        
        PID:1596
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEFAF.tmp.bat""
        9⤵
        
        PID:1676
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        10⤵
        Delays execution with timeout.exe
        
        PID:416
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        8⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        10⤵
        
        PID:3536
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF86A.tmp.bat""
        10⤵
        
        PID:4376
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        11⤵
        Delays execution with timeout.exe
        
        PID:4328
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        9⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        11⤵
        
        PID:3456
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp191.tmp.bat""
        11⤵
        
        PID:4092
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        12⤵
        Delays execution with timeout.exe
        
        PID:720
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        10⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        12⤵
        
        PID:3564
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA2C.tmp.bat""
        12⤵
        
        PID:1084
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        13⤵
        Delays execution with timeout.exe
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        11⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        12⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        13⤵
        
        PID:2072
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp12D7.tmp.bat""
        13⤵
        
        PID:4436
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        14⤵
        Delays execution with timeout.exe
        
        PID:4932
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        12⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        14⤵
        
        PID:984
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1B63.tmp.bat""
        14⤵
        
        PID:3632
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        15⤵
        Delays execution with timeout.exe
        
        PID:5072
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        13⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        15⤵
        
        PID:4500
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp25F2.tmp.bat""
        15⤵
        
        PID:2288
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        16⤵
        Delays execution with timeout.exe
        
        PID:572
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        14⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        16⤵
        
        PID:2812
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2EFA.tmp.bat""
        16⤵
        
        PID:5020
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        17⤵
        Delays execution with timeout.exe
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        15⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        17⤵
        
        PID:3144
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3B6E.tmp.bat""
        17⤵
        
        PID:3616
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        18⤵
        Delays execution with timeout.exe
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        16⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        18⤵
        
        PID:1732
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4263.tmp.bat""
        18⤵
        
        PID:2996
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        19⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        17⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        18⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        19⤵
        
        PID:4648
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4A43.tmp.bat""
        19⤵
        
        PID:388
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        20⤵
        Delays execution with timeout.exe
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        18⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        20⤵
        
        PID:3668
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp537A.tmp.bat""
        20⤵
        
        PID:244
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        21⤵
        Delays execution with timeout.exe
        
        PID:4692
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        19⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        21⤵
        
        PID:1512
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5BA8.tmp.bat""
        21⤵
        
        PID:3464
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        22⤵
        Delays execution with timeout.exe
        
        PID:3432
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        20⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        22⤵
        
        PID:2836
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp64A1.tmp.bat""
        22⤵
        
        PID:1704
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        23⤵
        Delays execution with timeout.exe
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        21⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        23⤵
        
        PID:1396
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        24⤵
        
        PID:4700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6D7A.tmp.bat""
        23⤵
        
        PID:4512
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        24⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        22⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        24⤵
        
        PID:4912
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7606.tmp.bat""
        24⤵
        
        PID:4968
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        25⤵
        Delays execution with timeout.exe
        
        PID:3128
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        23⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        25⤵
        
        PID:236
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7EC0.tmp.bat""
        25⤵
        
        PID:3036
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        26⤵
        Delays execution with timeout.exe
        
        PID:3024
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        24⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        26⤵
        
        PID:2752
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp877B.tmp.bat""
        26⤵
        
        PID:4156
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        27⤵
        Delays execution with timeout.exe
        
        PID:3576
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        25⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        27⤵
        
        PID:3364
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp90F0.tmp.bat""
        27⤵
        
        PID:3108
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        28⤵
        Delays execution with timeout.exe
        
        PID:4996
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        26⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        28⤵
        
        PID:5008
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp993D.tmp.bat""
        28⤵
        
        PID:1788
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        29⤵
        Delays execution with timeout.exe
        
        PID:1668
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        27⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        29⤵
        
        PID:2360
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA207.tmp.bat""
        29⤵
        
        PID:2564
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        30⤵
        Delays execution with timeout.exe
        
        PID:572
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        28⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        29⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        30⤵
        
        PID:1704
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAAE1.tmp.bat""
        30⤵
        
        PID:1936
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        31⤵
        Delays execution with timeout.exe
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        31⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        29⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        31⤵
        
        PID:3504
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        32⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB428.tmp.bat""
        31⤵
        
        PID:1472
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        32⤵
        Delays execution with timeout.exe
        
        PID:648
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        32⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        30⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        31⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        32⤵
        
        PID:2232
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBD21.tmp.bat""
        32⤵
        
        PID:4748
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        33⤵
        Delays execution with timeout.exe
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        33⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        31⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        32⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        33⤵
        
        PID:436
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        34⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC5CC.tmp.bat""
        33⤵
        
        PID:4260
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        34⤵
        Delays execution with timeout.exe
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        32⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        33⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        33⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        34⤵
        
        PID:1512
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCF42.tmp.bat""
        34⤵
        
        PID:2808
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        35⤵
        Delays execution with timeout.exe
        
        PID:3128
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        35⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        33⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        35⤵
        
        PID:3496
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        36⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD77F.tmp.bat""
        35⤵
        
        PID:4536
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        36⤵
        Delays execution with timeout.exe
        
        PID:4736
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        36⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        34⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        36⤵
        
        PID:4508
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        37⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE01A.tmp.bat""
        36⤵
        
        PID:2332
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        37⤵
        Delays execution with timeout.exe
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        37⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        35⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        36⤵
        
        PID:4800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        37⤵
        
        PID:5020
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        38⤵
        
        PID:596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE8E4.tmp.bat""
        37⤵
        
        PID:2904
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        38⤵
        Delays execution with timeout.exe
        
        PID:3536
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        38⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        36⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        37⤵
        
        PID:3188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        38⤵
        
        PID:3564
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        39⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF1BE.tmp.bat""
        38⤵
        
        PID:4764
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        39⤵
        Delays execution with timeout.exe
        
        PID:4284
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        39⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        37⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        38⤵
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        39⤵
        
        PID:4072
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        40⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFAA7.tmp.bat""
        39⤵
        
        PID:780
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        40⤵
        Delays execution with timeout.exe
        
        PID:3144
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        40⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        38⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        39⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        39⤵
        
        PID:1460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        40⤵
        
        PID:4112
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        41⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp381.tmp.bat""
        40⤵
        
        PID:4712
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        41⤵
        Delays execution with timeout.exe
        
        PID:4748
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        41⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        39⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        40⤵
        
        PID:652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        41⤵
        
        PID:3560
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        42⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC2B.tmp.bat""
        41⤵
        
        PID:4540
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        42⤵
        Delays execution with timeout.exe
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        42⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        40⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        41⤵
        
        PID:4104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        42⤵
        
        PID:3752
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        43⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1505.tmp.bat""
        42⤵
        
        PID:1472
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        43⤵
        Delays execution with timeout.exe
        
        PID:4912
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        43⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        41⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        42⤵
        
        PID:1660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        43⤵
        
        PID:572
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        44⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1DDF.tmp.bat""
        43⤵
        
        PID:3108
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        44⤵
        Delays execution with timeout.exe
        
        PID:3104
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        44⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        42⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        43⤵
        
        PID:3052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        44⤵
        
        PID:3640
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        45⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp29A6.tmp.bat""
        44⤵
        
        PID:2480
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        45⤵
        Delays execution with timeout.exe
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        43⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        44⤵
        
        PID:5052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        45⤵
        
        PID:4700
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        46⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2FE0.tmp.bat""
        45⤵
        
        PID:4224
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        46⤵
        Delays execution with timeout.exe
        
        PID:4788
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        46⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        44⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        45⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        45⤵
        
        PID:2616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        46⤵
        
        PID:4072
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        47⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp384C.tmp.bat""
        46⤵
        
        PID:4912
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        47⤵
        Delays execution with timeout.exe
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        45⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        46⤵
        
        PID:1392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        47⤵
        
        PID:3324
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        48⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp41D2.tmp.bat""
        47⤵
        
        PID:1496
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        48⤵
        Delays execution with timeout.exe
        
        PID:3104
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        48⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        46⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        47⤵
        
        PID:5020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        48⤵
        
        PID:3736
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        49⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4B09.tmp.bat""
        48⤵
        
        PID:2964
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        49⤵
        Delays execution with timeout.exe
        
        PID:1772
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        49⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        47⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        48⤵
        
        PID:4884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        49⤵
        
        PID:1936
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        50⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5395.tmp.bat""
        49⤵
        
        PID:2856
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        50⤵
        Delays execution with timeout.exe
        
        PID:1532
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        50⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        48⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        49⤵
        
        PID:240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        50⤵
        
        PID:740
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        51⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5C7E.tmp.bat""
        50⤵
        
        PID:1184
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        51⤵
        Delays execution with timeout.exe
        
        PID:5016
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        51⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        49⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        50⤵
        
        PID:3884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        51⤵
        
        PID:5020
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        52⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp65A6.tmp.bat""
        51⤵
        
        PID:1756
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        52⤵
        Delays execution with timeout.exe
        
        PID:4848
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        52⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        50⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        51⤵
        
        PID:2960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        52⤵
        
        PID:448
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6E41.tmp.bat""
        52⤵
        
        PID:2428
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        53⤵
        Delays execution with timeout.exe
        
        PID:2340
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        53⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        51⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        52⤵
        
        PID:4932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        53⤵
        
        PID:4788
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        54⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp76FB.tmp.bat""
        53⤵
        
        PID:4764
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        54⤵
        Delays execution with timeout.exe
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        54⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        52⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        53⤵
        
        PID:1532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        54⤵
        
        PID:1604
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        55⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7FB5.tmp.bat""
        54⤵
        
        PID:3056
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        55⤵
        Delays execution with timeout.exe
        
        PID:4908
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        55⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        53⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        54⤵
        
        PID:5068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        55⤵
        
        PID:3536
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        56⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp89E7.tmp.bat""
        55⤵
        
        PID:328
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        56⤵
        Delays execution with timeout.exe
        
        PID:4080
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        56⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        54⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        55⤵
        
        PID:4912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        56⤵
        
        PID:4132
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        57⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp91C6.tmp.bat""
        56⤵
        
        PID:3128
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        57⤵
        Delays execution with timeout.exe
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        57⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        55⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        56⤵
        
        PID:4020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        57⤵
        
        PID:804
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        58⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9A71.tmp.bat""
        57⤵
        
        PID:3752
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        58⤵
        Delays execution with timeout.exe
        
        PID:1532
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        58⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        56⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        57⤵
        
        PID:1992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        58⤵
        
        PID:436
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        59⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA30C.tmp.bat""
        58⤵
        
        PID:3312
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        59⤵
        Delays execution with timeout.exe
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        59⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        57⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        58⤵
        
        PID:4836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        59⤵
        
        PID:2664
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        60⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC34.tmp.bat""
        59⤵
        
        PID:4932
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        60⤵
        Delays execution with timeout.exe
        
        PID:4348
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        60⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        58⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        59⤵
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        60⤵
        
        PID:396
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        61⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB4B0.tmp.bat""
        60⤵
        
        PID:4748
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        61⤵
        Delays execution with timeout.exe
        
        PID:716
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        61⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        59⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        60⤵
        
        PID:4872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        61⤵
        
        PID:3128
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        62⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBD8A.tmp.bat""
        61⤵
        
        PID:1992
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        62⤵
        Delays execution with timeout.exe
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        62⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        60⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        61⤵
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        62⤵
        
        PID:1728
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        63⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC5E6.tmp.bat""
        62⤵
        
        PID:1736
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        63⤵
        Delays execution with timeout.exe
        
        PID:780
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        63⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        61⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        62⤵
        
        PID:3168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        63⤵
        
        PID:4800
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        64⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCECF.tmp.bat""
        63⤵
        
        PID:5000
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        64⤵
        Delays execution with timeout.exe
        
        PID:4500
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        64⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        62⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        63⤵
        
        PID:1764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        64⤵
        
        PID:2784
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        65⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD7B9.tmp.bat""
        64⤵
        
        PID:4328
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        65⤵
        Delays execution with timeout.exe
        
        PID:4432
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        65⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        63⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        64⤵
        
        PID:1792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        65⤵
        
        PID:4308
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        66⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE044.tmp.bat""
        65⤵
        
        PID:1936
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        66⤵
        Delays execution with timeout.exe
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        64⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        65⤵
        
        PID:3176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        66⤵
        
        PID:3360
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        67⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE94D.tmp.bat""
        66⤵
        
        PID:1332
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        67⤵
        Delays execution with timeout.exe
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        65⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        66⤵
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        67⤵
        
        PID:1984
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        68⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        66⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        67⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        67⤵
        
        PID:1696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3164

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4108

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4736

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2572

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5044

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5080

C:\Windows\System32\timeout.exe
"C:\Windows\System32\timeout.exe"
1⤵
- Delays execution with timeout.exe
PID:4892

C:\Windows\System32\timeout.exe
"C:\Windows\System32\timeout.exe"
1⤵
- Delays execution with timeout.exe
PID:4932

C:\Windows\System32\tracerpt.exe
"C:\Windows\System32\tracerpt.exe"
1⤵
PID:2780

C:\Windows\System32\TRACERT.EXE
"C:\Windows\System32\TRACERT.EXE"
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\EU.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Load.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Done.exe.log

Filesize
410B

MD5
8204cbfa4d618b8ad65341ae96ae3c42

SHA1
6745a674b5850509410c22f4572edee31b56276c

SHA256
220bb31ef0011c1c13e3784ae3c8e6093cf651fc56e59d429bd82b81f20240b1

SHA512
f498ac162d6c1e15d7bba49f47e7b581cc059ff2a0341b49f089b19741bf027e46740b5b3ef1ec553569ec0e7bbb51a7218c3047af4eca4b7914e51d5f31916f

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\d85973d4-b2ce-435a-b044-b19c14397c44.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Done.exe

Filesize
69KB

MD5
2453fa8ef7ccc79cada8679f06f2be53

SHA1
b3db41bc85d300a069e6636b5c9e7dcf0a6a95b2

SHA256
e0e329ca03adcd56c5ff4a5cbdaff475a1cf636dfce64b7da1a05f5c74daac88

SHA512
a28398843232745153b3f57d2166aca95e9f930a8334c0ffdb2db192fc8cc8b2d5f5a0a0d123a996f2aa738668209a3541ffb9ed6f42f665aefb9300cd3d45d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Load.exe

Filesize
74KB

MD5
4fc5086bcb8939429aea99f7322e619b

SHA1
8d3bd7d005710a8ae0bd0143d18b437be20018d7

SHA256
e31d6dc4d6f89573321f389c5b3f12838545ff8d2f1380cfba1782d39853e9fd

SHA512
04e230f5b39356aecf4732ac9a2f4fea96e51018907e2f22c7e3f22e51188b64cdb3e202fe324f5e3500761fae43f898bf9489aa8faa34eff3566e1119a786d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rzhzpoul.qct.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp12D7.tmp.bat

Filesize
148B

MD5
a7e887eef2d26b1793e544b6aa97e616

SHA1
df426e1f9ad4521d5bf58e90284e93bd74592e47

SHA256
8becc6b69af136b4ed54f6ee35efd5a3850d8f6a36e4af13fe9550921ade881e

SHA512
1ee5cd984dc940be78a9e0ff8f352137e93b9298d6f00af2bc116135ecdd6e1601acbe48bcd49d8bca9a593d56e81a396a720123d55a619244263ad15d1474ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp191.tmp.bat

Filesize
147B

MD5
e352a87b1f1f1ec2117b7b78889b545a

SHA1
653b808152cea2bc297601bde65e85aa7853af06

SHA256
cfda1e47e9bb79104ad3c902b33b577ce8cee317ef27ad403be44bcb0174c026

SHA512
718a91274d0e2f14467af426ee7b2a4c8df97f7c6972747984c3ed91a0366b7017ef380f401055408568933e89b08ac640f764fe7d46b4e0062f82037bbaf6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2C.tmp.bat

Filesize
147B

MD5
49255f49169bf4f3ecad55623d1e02f1

SHA1
5e5975f96598477d2b3b9ff4910ee7ccb2fa2b39

SHA256
f7cd3e189fde3476ab0149e0b11dc0f35deba55ddf8538bd80b73291ea07a327

SHA512
c00519cf170acffa15d125b26a85a7efc43e1eced5662dbaa53c60b67051a5e3cd9e6e33d8413693bc320c905727fc46e948bc42b820e7edc32319e74e770060

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB853.tmp.bat

Filesize
148B

MD5
04cb1afe381c49044b05765c70950853

SHA1
b46c0e8fdd1ba0d4f68b3ea003fbbb9be3ed041f

SHA256
4c10c4a17cf5cde5263340265ebfee2f9068ea745bdf25a621472446c18e24db

SHA512
2737dee0caa20cc1ae2f601129b17fc06042761bc5476b7fd773d9c9e65f93a540a7ed92172a44f3c56e45ed9a1c6a3bc52c3fe0377a820351e312617bdb94f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4A8.tmp.bat

Filesize
148B

MD5
7938525bc2e8745c0e018a7be2535387

SHA1
abc6e7a7b2cb1f9c2b8c339d005e743231fa8de0

SHA256
044e5640269840440d4fd0889ffd22395ef2ee99eb93a494c501462178736929

SHA512
50487dec6497f10fab3f79e759f9df7737b74ffb28d6e4ab64618f779b28d25d50e414ae4bc506d160420781ca6fee41cae5e5a3640673e2a26a078c9e5f37b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCED9.tmp.bat

Filesize
148B

MD5
0b219381694e939dba80046f24a99d36

SHA1
bacb52fd2cb5181c70af296fefa69303e9c335d5

SHA256
db313055e60a8a3e280e3a9cd30a9d453e4f7b1d2fa25b7117019b9e5526b694

SHA512
f2f891e4ebf759cee79940375e803c545f89d87301ac571d207ec95fb6c541601d83e26cd3a9f47535aed5ceac3584186edad691035f9e96b54791a3ffd6dc89

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD745.tmp.bat

Filesize
148B

MD5
c25e9e9d4dbcbaa9a179868c4a10dd09

SHA1
2e85750db5e948e68368998adb50f9a30f01f417

SHA256
ba9b0d52ffe4d80fd0b8671e6b3caf10d977402d97d0b6f9a6f5e455c2f7ca42

SHA512
e761a6b401a7adc6e0b4091a88f03c7b4d21b57db52f6ca858ac95b396a6a3b7faad93e0781412449c4fdcac293defa58d059a07d9b52de2ea36b1618058498b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDFB1.tmp.bat

Filesize
148B

MD5
9785b1ef9d47c8ca27a47784e8942f38

SHA1
3a9ad241c7b0d0afe6428691df68a2c3e5aa57c9

SHA256
8c10a87e0d266646391cdc498ed8670f1d378d80dd1955e52e21b00becefcbb4

SHA512
c92b1fbe4e9231be4101b7c9223f28f13d7c4f2d7fb6154bb9767f1422d44c7377c04c801978c9b3d7fe85eacbe72917ef466d9e8235be71c8a33a55c5798fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE7C0.tmp.bat

Filesize
148B

MD5
f5f9ff12fdaa61dc3c697345d3a75397

SHA1
7602e7b25ef3a5a170e631b25ae37ccf62b5929b

SHA256
4c8c6bff1580cd02d30e29aea7f95b11a5b83532147d4bd39b0c143fb5c204e6

SHA512
0b4279fe5a6267e7039780b8c8a1255f8754b06dbc3172edece8c5df5349267d21df59ff28cf994e0c30c64fe5f49737b3df8d54c28725941ac9020f1e5dd650

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEFAF.tmp.bat

Filesize
148B

MD5
2af2986a53f1ea6a8e4809af639e1270

SHA1
78375c158f61d91085caf875da5a69d8dd76ba49

SHA256
1f4c8fdf74638ff4853a30434112e3070826a9b1ee0aae89a2483fe00358e3e2

SHA512
30706fa4b03b62290e6330c2ef2194c8c3e5cf25f554b84c09eb3bc4985a24c00b195ce5978c2e5c0f2f90760ebf48eb9820636c3083a67feb5db1e06df20a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF86A.tmp.bat

Filesize
148B

MD5
7affd9ff6ce50c9856b2595b09243928

SHA1
49fb6ffa37d8563b199433c4422fe7baeccc3232

SHA256
1a2a0cab3bed2bee1015a0ce10d7d9bc73367820b538891ffc46d1be449290c2

SHA512
55e04fc520bb0c3fef465273ce1b87069ae747296e823c92bd9ce0e4239012e34c56eb522f45b9f7322a0f27335921203faa289e30697eb41bbc3b402cadd4fa

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/2308-0-0x00007FF834CF3000-0x00007FF834CF5000-memory.dmp

Filesize
8KB

Download
memory/2308-1-0x0000000000C00000-0x0000000000E20000-memory.dmp

Filesize
2.1MB

Download
memory/2308-10-0x00007FF834CF0000-0x00007FF8357B2000-memory.dmp

Filesize
10.8MB

Download
memory/2308-30-0x00007FF834CF0000-0x00007FF8357B2000-memory.dmp

Filesize
10.8MB

Download
memory/2368-98-0x0000000007650000-0x0000000007CCA000-memory.dmp

Filesize
6.5MB

Download
memory/2368-110-0x0000000007250000-0x000000000725E000-memory.dmp

Filesize
56KB

Download
memory/2368-86-0x0000000072350000-0x000000007239C000-memory.dmp

Filesize
304KB

Download
memory/2368-95-0x0000000006CB0000-0x0000000006CCE000-memory.dmp

Filesize
120KB

Download
memory/2368-85-0x0000000006290000-0x00000000062C4000-memory.dmp

Filesize
208KB

Download
memory/2368-96-0x0000000006CD0000-0x0000000006D74000-memory.dmp

Filesize
656KB

Download
memory/2368-70-0x00000000050B0000-0x0000000005116000-memory.dmp

Filesize
408KB

Download
memory/2368-99-0x0000000007010000-0x000000000702A000-memory.dmp

Filesize
104KB

Download
memory/2368-83-0x0000000005CA0000-0x0000000005CBE000-memory.dmp

Filesize
120KB

Download
memory/2368-59-0x0000000005140000-0x000000000576A000-memory.dmp

Filesize
6.2MB

Download
memory/2368-72-0x00000000057E0000-0x0000000005846000-memory.dmp

Filesize
408KB

Download
memory/2368-105-0x00000000072A0000-0x0000000007336000-memory.dmp

Filesize
600KB

Download
memory/2368-106-0x0000000007220000-0x0000000007231000-memory.dmp

Filesize
68KB

Download
memory/2368-67-0x0000000004E10000-0x0000000004E32000-memory.dmp

Filesize
136KB

Download
memory/2368-58-0x00000000024C0000-0x00000000024F6000-memory.dmp

Filesize
216KB

Download
memory/2368-113-0x0000000007260000-0x0000000007275000-memory.dmp

Filesize
84KB

Download
memory/2368-114-0x0000000007360000-0x000000000737A000-memory.dmp

Filesize
104KB

Download
memory/2368-115-0x0000000007350000-0x0000000007358000-memory.dmp

Filesize
32KB

Download
memory/2368-100-0x0000000007090000-0x000000000709A000-memory.dmp

Filesize
40KB

Download
memory/2368-84-0x0000000005D00000-0x0000000005D4C000-memory.dmp

Filesize
304KB

Download
memory/2368-82-0x0000000005850000-0x0000000005BA7000-memory.dmp

Filesize
3.3MB

Download
memory/2596-102-0x0000000005A90000-0x0000000005A9A000-memory.dmp

Filesize
40KB

Download
memory/4208-32-0x0000000005230000-0x00000000057D6000-memory.dmp

Filesize
5.6MB

Download
memory/4208-31-0x0000000000280000-0x0000000000298000-memory.dmp

Filesize
96KB

Download
memory/4208-33-0x0000000004C80000-0x0000000004D12000-memory.dmp

Filesize
584KB

Download
memory/4976-28-0x00007FF834CF0000-0x00007FF8357B2000-memory.dmp

Filesize
10.8MB

Download
memory/4976-27-0x0000000000180000-0x0000000000198000-memory.dmp

Filesize
96KB

Download
memory/4976-38-0x00007FF834CF0000-0x00007FF8357B2000-memory.dmp

Filesize
10.8MB

Download
memory/5080-332-0x000001BC3A080000-0x000001BC3A081000-memory.dmp

Filesize
4KB

Download
memory/5080-326-0x000001BC3A080000-0x000001BC3A081000-memory.dmp

Filesize
4KB

Download
memory/5080-325-0x000001BC3A080000-0x000001BC3A081000-memory.dmp

Filesize
4KB

Download
memory/5080-333-0x000001BC3A080000-0x000001BC3A081000-memory.dmp

Filesize
4KB

Download
memory/5080-337-0x000001BC3A080000-0x000001BC3A081000-memory.dmp

Filesize
4KB

Download
memory/5080-336-0x000001BC3A080000-0x000001BC3A081000-memory.dmp

Filesize
4KB

Download
memory/5080-335-0x000001BC3A080000-0x000001BC3A081000-memory.dmp

Filesize
4KB

Download
memory/5080-334-0x000001BC3A080000-0x000001BC3A081000-memory.dmp

Filesize
4KB

Download
memory/5080-327-0x000001BC3A080000-0x000001BC3A081000-memory.dmp

Filesize
4KB

Download
memory/5080-331-0x000001BC3A080000-0x000001BC3A081000-memory.dmp

Filesize
4KB

Download