asyncrat | 3c65766763fc26ba80bd11313a587f3e3206f9ba3fea6a39decd66a700cc9213

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EU.exe
Size

2.1MB
MD5

84714242749ee3c7f626d1e9684e391a
SHA1

f17abb2ab4ff1bb08360420c73e4d9496045ac1e
SHA256

3c65766763fc26ba80bd11313a587f3e3206f9ba3fea6a39decd66a700cc9213
SHA512

513010ecf933aaa85ae887b59aa03b8ddebc406cdd9ae3b889fdb2768ab33e363f81d17813e5caefe42e57162b45a81097a95723345e232b288be432150b4a28
SSDEEP

49152:n2mx9FhsvlnBh5WYNo4QP6Dc3V0bO2EYTRIagYDitK/z5:n2m9WTNopCDc3V0bJE6RrHiE/z

Score

10^/10

asyncrat venomrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

193.161.193.99:53757

Mutex

hsaurcrgqwhjimnkbht

Attributes

delay
1
install
true
install_file
Load.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 2 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/files/0x0031000000023b75-17.dat	VenomRAT
behavioral2/memory/4248-28-0x0000000000C50000-0x0000000000C68000-memory.dmp	VenomRAT

Venomrat family
venomrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0031000000023b75-17.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4204	powershell.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	EU.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk	Done.exe

Executes dropped EXE 64 IoCs

pid	Process
980	Done.exe
4248	Load.exe
640	Done.exe
2852	Load.exe
4916	apihost.exe
2164	Done.exe
3584	Load.exe
2336	Done.exe
1992	Load.exe
5088	Load.exe
3088	Done.exe
1996	Load.exe
832	Load.exe
2776	Done.exe
2840	Load.exe
4868	Load.exe
1856	Done.exe
2356	Load.exe
4380	Load.exe
4808	Done.exe
5092	Load.exe
3352	Load.exe
2360	Done.exe
4840	Load.exe
5028	Load.exe
536	Done.exe
64	Load.exe
116	Load.exe
4968	Done.exe
3036	Load.exe
4140	Load.exe
8	Done.exe
4296	Load.exe
2140	Done.exe
544	Load.exe
5048	Load.exe
2080	Done.exe
4284	Load.exe
5108	Load.exe
3468	Done.exe
2580	Load.exe
2896	Load.exe
992	Done.exe
4956	Load.exe
2564	Done.exe
2360	Load.exe
5092	Load.exe
2432	Done.exe
544	Load.exe
5104	Load.exe
516	Done.exe
3000	Load.exe
2896	Load.exe
4608	Done.exe
4204	Load.exe
716	Load.exe
336	Done.exe
2324	Load.exe
4620	Load.exe
1440	Done.exe
3160	Load.exe
5096	Load.exe
2432	Done.exe
4260	Load.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apihost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
4632	timeout.exe
4204	timeout.exe
1340	timeout.exe
1236	timeout.exe
5036	timeout.exe
1472	timeout.exe
2384	timeout.exe
232	timeout.exe
832	timeout.exe
2900	timeout.exe
1016	timeout.exe
2036	timeout.exe
2380	timeout.exe
3160	timeout.exe
2184	timeout.exe
1416	timeout.exe
3876	timeout.exe
3468	timeout.exe
1060	timeout.exe
4264	timeout.exe
4336	timeout.exe
980	timeout.exe
5096	timeout.exe
2936	timeout.exe
1332	timeout.exe
3408	timeout.exe
3588	timeout.exe
1244	timeout.exe
2404	timeout.exe
4204	timeout.exe
3124	timeout.exe
4148	timeout.exe
2064	timeout.exe
3628	timeout.exe
2656	timeout.exe
2652	timeout.exe
2088	timeout.exe
3680	timeout.exe
1376	timeout.exe
4568	timeout.exe
392	timeout.exe
4780	timeout.exe
4700	timeout.exe
2028	timeout.exe
1396	timeout.exe
2184	timeout.exe
2840	timeout.exe
3052	timeout.exe
3628	timeout.exe
5080	timeout.exe
4376	timeout.exe
1264	timeout.exe
4484	timeout.exe
3108	timeout.exe
4924	timeout.exe
2752	timeout.exe
2016	timeout.exe
3808	timeout.exe
2372	timeout.exe
4892	timeout.exe
4516	timeout.exe
4632	timeout.exe
1968	timeout.exe
2824	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3416	schtasks.exe
4128	schtasks.exe
3036	schtasks.exe
3312	schtasks.exe
2432	schtasks.exe
2952	schtasks.exe
4004	schtasks.exe
2736	schtasks.exe
1488	schtasks.exe
1672	schtasks.exe
4304	schtasks.exe
4392	schtasks.exe
4808	schtasks.exe
4756	schtasks.exe
64	schtasks.exe
3312	schtasks.exe
4280	schtasks.exe
400	schtasks.exe
4912	schtasks.exe
1400	schtasks.exe
3568	schtasks.exe
4392	schtasks.exe
468	schtasks.exe
1212	schtasks.exe
3972	schtasks.exe
2936	schtasks.exe
3564	schtasks.exe
1748	schtasks.exe
3132	schtasks.exe
4356	schtasks.exe
4296	schtasks.exe
2964	schtasks.exe
2860	schtasks.exe
4084	schtasks.exe
544	schtasks.exe
3312	schtasks.exe
4852	schtasks.exe
4012	schtasks.exe
4520	schtasks.exe
2184	schtasks.exe
1856	schtasks.exe
2896	schtasks.exe
3364	schtasks.exe
3696	schtasks.exe
1268	schtasks.exe
2348	schtasks.exe
5096	schtasks.exe
2852	schtasks.exe
3560	schtasks.exe
980	schtasks.exe
2684	schtasks.exe
4340	schtasks.exe
2796	schtasks.exe
3624	schtasks.exe
3180	schtasks.exe
4632	schtasks.exe
2016	schtasks.exe
2184	schtasks.exe
4612	schtasks.exe
4296	schtasks.exe
3624	schtasks.exe
3116	schtasks.exe
3380	schtasks.exe
636	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
640	Done.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4248	Load.exe
4248	Load.exe
4248	Load.exe
4248	Load.exe
4248	Load.exe
4248	Load.exe
4248	Load.exe
4248	Load.exe
4248	Load.exe
4248	Load.exe
4248	Load.exe
4248	Load.exe
4248	Load.exe
4248	Load.exe
4248	Load.exe
4248	Load.exe
4248	Load.exe
4248	Load.exe
4248	Load.exe
4248	Load.exe
4248	Load.exe
4248	Load.exe
4248	Load.exe
4204	powershell.exe
4204	powershell.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
2852	Load.exe
3584	Load.exe
3584	Load.exe
3584	Load.exe
3584	Load.exe
3584	Load.exe
3584	Load.exe
3584	Load.exe
3584	Load.exe
3584	Load.exe
3584	Load.exe
3584	Load.exe
3584	Load.exe
3584	Load.exe
3584	Load.exe
3584	Load.exe
3584	Load.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4248	Load.exe
Token: SeDebugPrivilege	2852	Load.exe
Token: SeDebugPrivilege	980	Done.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	640	Done.exe
Token: SeDebugPrivilege	3584	Load.exe
Token: SeDebugPrivilege	1992	Load.exe
Token: SeDebugPrivilege	5088	Load.exe
Token: SeDebugPrivilege	1996	Load.exe
Token: SeDebugPrivilege	832	Load.exe
Token: SeDebugPrivilege	2840	Load.exe
Token: SeDebugPrivilege	4868	Load.exe
Token: SeDebugPrivilege	2356	Load.exe
Token: SeDebugPrivilege	4380	Load.exe
Token: SeDebugPrivilege	5092	Load.exe
Token: SeDebugPrivilege	3352	Load.exe
Token: SeDebugPrivilege	4840	Load.exe
Token: SeDebugPrivilege	5028	Load.exe
Token: SeDebugPrivilege	64	Load.exe
Token: SeDebugPrivilege	116	Load.exe
Token: SeDebugPrivilege	3036	Load.exe
Token: SeDebugPrivilege	4140	Load.exe
Token: SeDebugPrivilege	4296	Load.exe
Token: SeDebugPrivilege	544	Load.exe
Token: SeDebugPrivilege	5048	Load.exe
Token: SeDebugPrivilege	4284	Load.exe
Token: SeDebugPrivilege	5108	Load.exe
Token: SeDebugPrivilege	2580	Load.exe
Token: SeDebugPrivilege	2896	Load.exe
Token: SeDebugPrivilege	4956	Load.exe
Token: SeDebugPrivilege	2360	Load.exe
Token: SeDebugPrivilege	5092	Load.exe
Token: SeDebugPrivilege	544	Load.exe
Token: SeDebugPrivilege	5104	Load.exe
Token: SeDebugPrivilege	3000	Load.exe
Token: SeDebugPrivilege	2896	Load.exe
Token: SeDebugPrivilege	4204	Load.exe
Token: SeDebugPrivilege	716	Load.exe
Token: SeDebugPrivilege	2324	Load.exe
Token: SeDebugPrivilege	4620	Load.exe
Token: SeDebugPrivilege	3160	Load.exe
Token: SeDebugPrivilege	5096	Load.exe
Token: SeDebugPrivilege	4260	Load.exe
Token: SeDebugPrivilege	1672	Load.exe
Token: SeDebugPrivilege	2860	Load.exe
Token: SeDebugPrivilege	4860	Load.exe
Token: SeDebugPrivilege	4904	Load.exe
Token: SeDebugPrivilege	5040	Load.exe
Token: SeDebugPrivilege	3056	Load.exe
Token: SeDebugPrivilege	3048	Load.exe
Token: SeDebugPrivilege	4504	Load.exe
Token: SeDebugPrivilege	4736	Load.exe
Token: SeDebugPrivilege	392	Load.exe
Token: SeDebugPrivilege	2592	Load.exe
Token: SeDebugPrivilege	4896	Load.exe
Token: SeDebugPrivilege	4464	Load.exe
Token: SeDebugPrivilege	4204	Load.exe
Token: SeDebugPrivilege	4788	Load.exe
Token: SeDebugPrivilege	3964	Load.exe
Token: SeDebugPrivilege	1764	Load.exe
Token: SeDebugPrivilege	5068	Load.exe
Token: SeDebugPrivilege	1008	Load.exe
Token: SeDebugPrivilege	968	Load.exe
Token: SeDebugPrivilege	3696	Load.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 980	4080	EU.exe	82
PID 4080 wrote to memory of 980	4080	EU.exe	82
PID 4080 wrote to memory of 980	4080	EU.exe	82
PID 4080 wrote to memory of 4248	4080	EU.exe	83
PID 4080 wrote to memory of 4248	4080	EU.exe	83
PID 4080 wrote to memory of 3528	4080	EU.exe	84
PID 4080 wrote to memory of 3528	4080	EU.exe	84
PID 4248 wrote to memory of 4340	4248	Load.exe	85
PID 4248 wrote to memory of 4340	4248	Load.exe	85
PID 4248 wrote to memory of 776	4248	Load.exe	87
PID 4248 wrote to memory of 776	4248	Load.exe	87
PID 4340 wrote to memory of 2684	4340	cmd.exe	89
PID 4340 wrote to memory of 2684	4340	cmd.exe	89
PID 776 wrote to memory of 2752	776	cmd.exe	90
PID 776 wrote to memory of 2752	776	cmd.exe	90
PID 3528 wrote to memory of 640	3528	EU.exe	91
PID 3528 wrote to memory of 640	3528	EU.exe	91
PID 3528 wrote to memory of 640	3528	EU.exe	91
PID 3528 wrote to memory of 2852	3528	EU.exe	92
PID 3528 wrote to memory of 2852	3528	EU.exe	92
PID 3528 wrote to memory of 4596	3528	EU.exe	93
PID 3528 wrote to memory of 4596	3528	EU.exe	93
PID 980 wrote to memory of 4204	980	Done.exe	94
PID 980 wrote to memory of 4204	980	Done.exe	94
PID 980 wrote to memory of 4204	980	Done.exe	94
PID 980 wrote to memory of 1488	980	Done.exe	95
PID 980 wrote to memory of 1488	980	Done.exe	95
PID 980 wrote to memory of 1488	980	Done.exe	95
PID 980 wrote to memory of 4916	980	Done.exe	98
PID 980 wrote to memory of 4916	980	Done.exe	98
PID 980 wrote to memory of 4916	980	Done.exe	98
PID 2852 wrote to memory of 1028	2852	Load.exe	99
PID 2852 wrote to memory of 1028	2852	Load.exe	99
PID 1028 wrote to memory of 1672	1028	cmd.exe	101
PID 1028 wrote to memory of 1672	1028	cmd.exe	101
PID 4596 wrote to memory of 2164	4596	EU.exe	102
PID 4596 wrote to memory of 2164	4596	EU.exe	102
PID 4596 wrote to memory of 2164	4596	EU.exe	102
PID 4596 wrote to memory of 3584	4596	EU.exe	103
PID 4596 wrote to memory of 3584	4596	EU.exe	103
PID 4596 wrote to memory of 4496	4596	EU.exe	104
PID 4596 wrote to memory of 4496	4596	EU.exe	104
PID 2852 wrote to memory of 4472	2852	Load.exe	105
PID 2852 wrote to memory of 4472	2852	Load.exe	105
PID 4472 wrote to memory of 3124	4472	cmd.exe	107
PID 4472 wrote to memory of 3124	4472	cmd.exe	107
PID 3584 wrote to memory of 4328	3584	Load.exe	108
PID 3584 wrote to memory of 4328	3584	Load.exe	108
PID 4328 wrote to memory of 3116	4328	cmd.exe	110
PID 4328 wrote to memory of 3116	4328	cmd.exe	110
PID 4496 wrote to memory of 2336	4496	EU.exe	111
PID 4496 wrote to memory of 2336	4496	EU.exe	111
PID 4496 wrote to memory of 2336	4496	EU.exe	111
PID 4496 wrote to memory of 1992	4496	EU.exe	112
PID 4496 wrote to memory of 1992	4496	EU.exe	112
PID 4496 wrote to memory of 3300	4496	EU.exe	113
PID 4496 wrote to memory of 3300	4496	EU.exe	113
PID 3584 wrote to memory of 468	3584	Load.exe	114
PID 3584 wrote to memory of 468	3584	Load.exe	114
PID 4472 wrote to memory of 5088	4472	cmd.exe	116
PID 4472 wrote to memory of 5088	4472	cmd.exe	116
PID 468 wrote to memory of 1472	468	cmd.exe	117
PID 468 wrote to memory of 1472	468	cmd.exe	117
PID 1992 wrote to memory of 1748	1992	Load.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\EU.exe
"C:\Users\Admin\AppData\Local\Temp\EU.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Users\Admin\AppData\Local\Temp\Done.exe
  "C:\Users\Admin\AppData\Local\Temp\Done.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\ACCApi'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4204
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Local\ACCApi\apihost.exe" /st 13:01 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1488
- - C:\Users\Admin\AppData\Local\ACCApi\apihost.exe
    "C:\Users\Admin\AppData\Local\ACCApi\apihost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4916
- C:\Users\Admin\AppData\Local\Temp\Load.exe
  "C:\Users\Admin\AppData\Local\Temp\Load.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp84A1.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2752
- C:\Users\Admin\AppData\Local\Temp\EU.exe
  "C:\Users\Admin\AppData\Local\Temp\EU.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\Done.exe
    "C:\Users\Admin\AppData\Local\Temp\Done.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    PID:640
- - C:\Users\Admin\AppData\Local\Temp\Load.exe
    "C:\Users\Admin\AppData\Local\Temp\Load.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1028
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1672
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp91E0.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4472
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3124
    - - C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
- - C:\Users\Admin\AppData\Local\Temp\EU.exe
    "C:\Users\Admin\AppData\Local\Temp\EU.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\Done.exe
      "C:\Users\Admin\AppData\Local\Temp\Done.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\Load.exe
      "C:\Users\Admin\AppData\Local\Temp\Load.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3584
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4328
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3116
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9B07.tmp.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:468
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:1472
      - C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
  - - C:\Users\Admin\AppData\Local\Temp\EU.exe
      "C:\Users\Admin\AppData\Local\Temp\EU.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4496
    - - C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2336
    - - C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        6⤵
        
        PID:1748
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4340
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA410.tmp.bat""
        6⤵
        
        PID:4260
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
    - - C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        5⤵
        
        PID:3300
      - C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3088
      - C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        7⤵
        
        PID:5028
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.bat""
        7⤵
        
        PID:2752
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:4516
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4380
      - C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        6⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        8⤵
        
        PID:4284
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB565.tmp.bat""
        8⤵
        
        PID:1616
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        9⤵
        Delays execution with timeout.exe
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        7⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        9⤵
        
        PID:760
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBDC2.tmp.bat""
        9⤵
        
        PID:2404
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        10⤵
        Delays execution with timeout.exe
        
        PID:4632
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        8⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        10⤵
        
        PID:3628
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC6BB.tmp.bat""
        10⤵
        
        PID:1048
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        11⤵
        Delays execution with timeout.exe
        
        PID:2088
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        9⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        11⤵
        
        PID:3160
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCF75.tmp.bat""
        11⤵
        
        PID:464
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        12⤵
        Delays execution with timeout.exe
        
        PID:3468
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        10⤵
        Checks computer location settings
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        11⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:64
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        12⤵
        
        PID:2876
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD84F.tmp.bat""
        12⤵
        
        PID:1664
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        13⤵
        Delays execution with timeout.exe
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        11⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        13⤵
        
        PID:4244
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE157.tmp.bat""
        13⤵
        
        PID:1264
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        14⤵
        Delays execution with timeout.exe
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        12⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        14⤵
        
        PID:1644
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEA60.tmp.bat""
        14⤵
        
        PID:1116
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        15⤵
        Delays execution with timeout.exe
        
        PID:980
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        13⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        15⤵
        
        PID:4868
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF30B.tmp.bat""
        15⤵
        
        PID:4740
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        16⤵
        Delays execution with timeout.exe
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        14⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        16⤵
        
        PID:1532
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFBA6.tmp.bat""
        16⤵
        
        PID:3508
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        17⤵
        Delays execution with timeout.exe
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        15⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        17⤵
        
        PID:4604
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4CD.tmp.bat""
        17⤵
        
        PID:1408
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        18⤵
        Delays execution with timeout.exe
        
        PID:3408
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        16⤵
        Checks computer location settings
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        18⤵
        
        PID:3808
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEB1.tmp.bat""
        18⤵
        
        PID:2788
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        19⤵
        Delays execution with timeout.exe
        
        PID:5096
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        17⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        19⤵
        
        PID:3516
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp178A.tmp.bat""
        19⤵
        
        PID:2476
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        20⤵
        Delays execution with timeout.exe
        
        PID:4376
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        18⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        20⤵
        
        PID:3720
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2006.tmp.bat""
        20⤵
        
        PID:2880
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        21⤵
        Delays execution with timeout.exe
        
        PID:232
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        19⤵
        Checks computer location settings
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        21⤵
        
        PID:4340
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:64
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp292E.tmp.bat""
        21⤵
        
        PID:2580
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        22⤵
        Delays execution with timeout.exe
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        20⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        22⤵
        
        PID:4296
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3275.tmp.bat""
        22⤵
        
        PID:3108
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        23⤵
        Delays execution with timeout.exe
        
        PID:3052
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        21⤵
        Checks computer location settings
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        23⤵
        
        PID:3668
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        24⤵
        
        PID:3696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3B2F.tmp.bat""
        23⤵
        
        PID:3636
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        24⤵
        Delays execution with timeout.exe
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        22⤵
        Checks computer location settings
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        24⤵
        
        PID:2084
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp43CA.tmp.bat""
        24⤵
        
        PID:980
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        25⤵
        Delays execution with timeout.exe
        
        PID:392
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        23⤵
        Checks computer location settings
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        25⤵
        
        PID:4244
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4D21.tmp.bat""
        25⤵
        
        PID:4340
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        26⤵
        Delays execution with timeout.exe
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        24⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        25⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        26⤵
        
        PID:4036
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp56B6.tmp.bat""
        26⤵
        
        PID:3876
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        27⤵
        Delays execution with timeout.exe
        
        PID:1060
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        25⤵
        Checks computer location settings
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        27⤵
        
        PID:4928
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5FCE.tmp.bat""
        27⤵
        
        PID:2244
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        28⤵
        Delays execution with timeout.exe
        
        PID:1376
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        26⤵
        Checks computer location settings
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        27⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        28⤵
        
        PID:1556
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp68C7.tmp.bat""
        28⤵
        
        PID:4924
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        29⤵
        Delays execution with timeout.exe
        
        PID:3160
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        27⤵
        Checks computer location settings
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        28⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        29⤵
        
        PID:1672
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp71D0.tmp.bat""
        29⤵
        
        PID:816
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        30⤵
        Delays execution with timeout.exe
        
        PID:4264
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        28⤵
        Checks computer location settings
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        30⤵
        
        PID:4968
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7B26.tmp.bat""
        30⤵
        
        PID:2280
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        31⤵
        Delays execution with timeout.exe
        
        PID:4336
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        31⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        29⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        30⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        31⤵
        
        PID:4240
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        32⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp83D1.tmp.bat""
        31⤵
        
        PID:2140
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        32⤵
        Delays execution with timeout.exe
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        32⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        30⤵
        Checks computer location settings
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        31⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        32⤵
        
        PID:2816
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8C5D.tmp.bat""
        32⤵
        
        PID:4948
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        33⤵
        Delays execution with timeout.exe
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        31⤵
        Checks computer location settings
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        32⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        33⤵
        
        PID:4804
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        34⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9565.tmp.bat""
        33⤵
        
        PID:3632
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        34⤵
        Delays execution with timeout.exe
        
        PID:4484
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        32⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        33⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        34⤵
        
        PID:2876
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9E4E.tmp.bat""
        34⤵
        
        PID:4244
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        35⤵
        Delays execution with timeout.exe
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        33⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        35⤵
        
        PID:112
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        36⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA709.tmp.bat""
        35⤵
        
        PID:2580
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        36⤵
        Delays execution with timeout.exe
        
        PID:4568
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        36⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        34⤵
        Checks computer location settings
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        35⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        36⤵
        
        PID:3840
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        37⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB002.tmp.bat""
        36⤵
        
        PID:1416
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        37⤵
        Delays execution with timeout.exe
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        37⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        35⤵
        Checks computer location settings
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        36⤵
        
        PID:1116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        37⤵
        
        PID:2684
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        38⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB90A.tmp.bat""
        37⤵
        
        PID:4504
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        38⤵
        Delays execution with timeout.exe
        
        PID:3808
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        38⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        36⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        37⤵
        
        PID:4124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        38⤵
        
        PID:1376
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        39⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC1B5.tmp.bat""
        38⤵
        
        PID:392
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        39⤵
        Delays execution with timeout.exe
        
        PID:3588
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        39⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        37⤵
        Checks computer location settings
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        38⤵
        
        PID:5104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        39⤵
        
        PID:3980
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        40⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCB4A.tmp.bat""
        39⤵
        
        PID:2308
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        40⤵
        Delays execution with timeout.exe
        
        PID:4780
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        40⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        38⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        39⤵
        
        PID:4316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        40⤵
        
        PID:3492
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        41⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD3C6.tmp.bat""
        40⤵
        
        PID:5000
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        41⤵
        Delays execution with timeout.exe
        
        PID:4204
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        41⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        39⤵
        Checks computer location settings
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        40⤵
        Checks computer location settings
        
        PID:2556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        41⤵
        
        PID:4036
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        42⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDDF7.tmp.bat""
        41⤵
        
        PID:3932
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        42⤵
        Delays execution with timeout.exe
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        42⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        40⤵
        Checks computer location settings
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        41⤵
        
        PID:4240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        42⤵
        
        PID:1604
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        43⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE5A8.tmp.bat""
        42⤵
        
        PID:2932
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        43⤵
        Delays execution with timeout.exe
        
        PID:1416
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        43⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        41⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        42⤵
        Checks computer location settings
        
        PID:3644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        43⤵
        
        PID:4628
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        44⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEE91.tmp.bat""
        43⤵
        
        PID:2564
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        44⤵
        Delays execution with timeout.exe
        
        PID:3628
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        44⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        42⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        43⤵
        
        PID:3416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        44⤵
        
        PID:1212
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        45⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF74C.tmp.bat""
        44⤵
        
        PID:1776
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        45⤵
        Delays execution with timeout.exe
        
        PID:1396
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        45⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        43⤵
        Checks computer location settings
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        44⤵
        Checks computer location settings
        
        PID:3656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        45⤵
        
        PID:1664
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        46⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC1.tmp.bat""
        45⤵
        
        PID:4000
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        46⤵
        Delays execution with timeout.exe
        
        PID:4148
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        46⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        44⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        45⤵
        
        PID:4904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        46⤵
        
        PID:4868
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        47⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp98B.tmp.bat""
        46⤵
        
        PID:5068
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        47⤵
        Delays execution with timeout.exe
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        47⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        45⤵
        Checks computer location settings
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        46⤵
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        47⤵
        
        PID:3124
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        48⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp12A4.tmp.bat""
        47⤵
        
        PID:3620
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        48⤵
        Delays execution with timeout.exe
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        48⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        46⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        47⤵
        Checks computer location settings
        
        PID:4892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        48⤵
        
        PID:3104
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        49⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp.bat""
        48⤵
        
        PID:3576
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        49⤵
        Delays execution with timeout.exe
        
        PID:1236
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        49⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        47⤵
        Checks computer location settings
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        48⤵
        
        PID:944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        49⤵
        
        PID:1324
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        50⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2409.tmp.bat""
        49⤵
        
        PID:5116
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        50⤵
        Delays execution with timeout.exe
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        48⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        49⤵
        Checks computer location settings
        
        PID:3808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        50⤵
        
        PID:1056
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        51⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2D6F.tmp.bat""
        50⤵
        
        PID:3440
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        51⤵
        Delays execution with timeout.exe
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        51⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        49⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        50⤵
        
        PID:1440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        51⤵
        
        PID:4364
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        52⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3687.tmp.bat""
        51⤵
        
        PID:4200
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        52⤵
        Delays execution with timeout.exe
        
        PID:3876
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        52⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        50⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        51⤵
        
        PID:4316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        52⤵
        
        PID:2008
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3F03.tmp.bat""
        52⤵
        
        PID:3088
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        53⤵
        Delays execution with timeout.exe
        
        PID:5036
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        53⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        51⤵
        Checks computer location settings
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        52⤵
        Checks computer location settings
        
        PID:1804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        53⤵
        
        PID:4392
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        54⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp481B.tmp.bat""
        53⤵
        
        PID:3852
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        54⤵
        Delays execution with timeout.exe
        
        PID:4892
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        54⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        52⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        53⤵
        Checks computer location settings
        
        PID:4432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        54⤵
        
        PID:412
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        55⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5114.tmp.bat""
        54⤵
        
        PID:3416
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        55⤵
        Delays execution with timeout.exe
        
        PID:3108
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        55⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        53⤵
        Checks computer location settings
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        54⤵
        
        PID:4864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        55⤵
        
        PID:1824
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        56⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5A2C.tmp.bat""
        55⤵
        
        PID:2860
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        56⤵
        Delays execution with timeout.exe
        
        PID:5080
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        56⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        54⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        55⤵
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        56⤵
        
        PID:3840
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        57⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6335.tmp.bat""
        56⤵
        
        PID:820
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        57⤵
        Delays execution with timeout.exe
        
        PID:1244
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        57⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        55⤵
        Checks computer location settings
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        56⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        56⤵
        Checks computer location settings
        
        PID:956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        57⤵
        
        PID:4040
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        58⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6BFF.tmp.bat""
        57⤵
        
        PID:3992
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        58⤵
        Delays execution with timeout.exe
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        58⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        56⤵
        Checks computer location settings
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        57⤵
        
        PID:968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        58⤵
        
        PID:3300
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        59⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7507.tmp.bat""
        58⤵
        
        PID:1100
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        59⤵
        Delays execution with timeout.exe
        
        PID:4700
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        59⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        57⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        58⤵
        Checks computer location settings
        
        PID:3708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        59⤵
        
        PID:1900
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        60⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7E9C.tmp.bat""
        59⤵
        
        PID:3668
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        60⤵
        Delays execution with timeout.exe
        
        PID:4632
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        60⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        58⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        59⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        59⤵
        Checks computer location settings
        
        PID:2936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        60⤵
        
        PID:3472
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        61⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8747.tmp.bat""
        60⤵
        
        PID:4772
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        61⤵
        Delays execution with timeout.exe
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        61⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        59⤵
        Checks computer location settings
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        60⤵
        Checks computer location settings
        
        PID:3108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        61⤵
        
        PID:3680
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        62⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8FF2.tmp.bat""
        61⤵
        
        PID:4912
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        62⤵
        Delays execution with timeout.exe
        
        PID:1332
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        62⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        60⤵
        Checks computer location settings
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        61⤵
        Checks computer location settings
        
        PID:4852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        62⤵
        
        PID:3008
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        63⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp990A.tmp.bat""
        62⤵
        
        PID:5016
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        63⤵
        Delays execution with timeout.exe
        
        PID:1016
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        63⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        61⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        62⤵
        
        PID:516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        63⤵
        
        PID:744
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        64⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA1E3.tmp.bat""
        63⤵
        
        PID:4960
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        64⤵
        Delays execution with timeout.exe
        
        PID:1264
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        64⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        62⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        63⤵
        Checks computer location settings
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        64⤵
        
        PID:1900
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        65⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAB2A.tmp.bat""
        64⤵
        
        PID:1008
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        65⤵
        Delays execution with timeout.exe
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        65⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        63⤵
        Checks computer location settings
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        64⤵
        Checks computer location settings
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        65⤵
        
        PID:3980
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        66⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB433.tmp.bat""
        65⤵
        
        PID:1416
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        66⤵
        Delays execution with timeout.exe
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        64⤵
        Checks computer location settings
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        65⤵
        Checks computer location settings
        
        PID:1140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        66⤵
        
        PID:4596
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        67⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBDD8.tmp.bat""
        66⤵
        
        PID:3880
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        67⤵
        Delays execution with timeout.exe
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        65⤵
        Checks computer location settings
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        66⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\EU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EU.exe"
        66⤵
        
        PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\EU.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Load.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Done.exe.log

Filesize
410B

MD5
3bbb825ef1319deb378787046587112b

SHA1
67da95f0031be525b4cf10645632ca34d66b913b

SHA256
d9c6d00fad02f7a9ef0fcddc298ffd58b17020fb12b1336d5733237cbfadb1e0

SHA512
7771ae543e188d544e1bb6c65e0453a6777c1c39790a355f4cce652a815bfaf94dd426de3db910a67bd06e463ac0143d9e2ca44d2b12af7f0d84c27b4a09cc54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Done.exe

Filesize
69KB

MD5
2453fa8ef7ccc79cada8679f06f2be53

SHA1
b3db41bc85d300a069e6636b5c9e7dcf0a6a95b2

SHA256
e0e329ca03adcd56c5ff4a5cbdaff475a1cf636dfce64b7da1a05f5c74daac88

SHA512
a28398843232745153b3f57d2166aca95e9f930a8334c0ffdb2db192fc8cc8b2d5f5a0a0d123a996f2aa738668209a3541ffb9ed6f42f665aefb9300cd3d45d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Load.exe

Filesize
74KB

MD5
4fc5086bcb8939429aea99f7322e619b

SHA1
8d3bd7d005710a8ae0bd0143d18b437be20018d7

SHA256
e31d6dc4d6f89573321f389c5b3f12838545ff8d2f1380cfba1782d39853e9fd

SHA512
04e230f5b39356aecf4732ac9a2f4fea96e51018907e2f22c7e3f22e51188b64cdb3e202fe324f5e3500761fae43f898bf9489aa8faa34eff3566e1119a786d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b5vv3wnr.zs1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp84A1.tmp.bat

Filesize
148B

MD5
0cd8b4f43e5b1204afcbad3686e62b02

SHA1
c1b19eb6c7e8422e574edc62ef8d9bd30269c0ee

SHA256
60b23e9e23ce507b7adc9e6d05dd3663862ebf8b7fa7ff8ac1c9f4e288ae53e4

SHA512
899dbcb71168c33af0f2d7e0a3c81b98371b84e2f5523259c67421adaffde58ad491fca00865c1209d3ed80e958e89183c964ebecfd259411b4039a7d8be8178

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp91E0.tmp.bat

Filesize
148B

MD5
b6eebb409969d7a66e7ef791d1325605

SHA1
69ac75aa46685e6efe4c27d6363c31a1d5843102

SHA256
982f3b9ad3c5c80a78fe65d755ad19efe8afee1edb86a07987e659f6a17fbf28

SHA512
bc55ae0d02b08e4fe7b7583de5016e549ba59825a3b6937c123ca0d43f87cc1e304e917959def0c94359cdee034d7e509e4e923ec6bc2b92dfa22362eab22549

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9B07.tmp.bat

Filesize
148B

MD5
674d5e481205edfd6e00f24d260d39ba

SHA1
5bdb8c0cd08b9f8c6396cc46dab70c647222035a

SHA256
9cf4461c5d20f038fd1acc0fa292d6403a4a2a03d803aca53fe5ce6044dd4b39

SHA512
90068d3b3ca1f8601053eb40a5d67268cd1f610de82e2e03030164b75eef01705492afc0969503353d2e1fee033e46f74ebeac1640059c8c66254a98adb72388

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA410.tmp.bat

Filesize
148B

MD5
42202bd06265f4c0a7292a97537e99a4

SHA1
eb94294ac982a12b2490906faf63099002ed5720

SHA256
dd364e7eb16e12088de70455de1836fb8cc67f4258bc7da3334ad57cec3da511

SHA512
90317a2a621c73cfffba2c6ae6b74801c105141f8276ac9d47006903513c3112d4045b3856451e96d4ae82b3a0a2a1e4015dbf2156be489c104a9c642857b169

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAC7C.tmp.bat

Filesize
148B

MD5
e6d76982709066856209241ea5759ddd

SHA1
383b53211e2671d6f31f0c8afddc391c9de5c18a

SHA256
b26a54ae87b64fd14d15c0e4d5d2b579fef31f6f036473f6bedf38036b79b3ac

SHA512
b99e04ade808bd1e6c95aa436a884bd5b46000da42934c9c5bbe4138a81feb7a194c223861dc30dac3f99ed279b448ce941d1dbbab80163d5177ada37e0e4708

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB565.tmp.bat

Filesize
148B

MD5
338193599ffaa839c1211ec5c2ef6961

SHA1
324061c867862c8672cb1c4aae2edbd7ef47f35f

SHA256
4707060935863d129a8b2e221b42b0d4fc3b87c620ea424e00223c55daa8bb66

SHA512
1c54e920df136d9d15cd2a01927e65a4ad98da560ba9832f9b417a6fde37cd8f23410d688be500f48be8239d17498ac27b808baacea968733d3b7a338fb902a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBDC2.tmp.bat

Filesize
148B

MD5
b324a6efda98e8528aa2dfec4d8f6ac6

SHA1
91c3c932d465d003d059ea77c089989fac25ca35

SHA256
57285d5b04b70f2f0abd7dcbb8977749ece2329576731890c5e5b97b9b7b6792

SHA512
41b0d5bce6ce1611355c227437ced1b46d542813b632d9acc7cae3d677b94bc5d7be5e70d76684f91c0387cc0e8453f2be9331f9694e23e0b839c6378c79d826

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC6BB.tmp.bat

Filesize
148B

MD5
8836c4b94621632ff68159ad0518fdd8

SHA1
b0a619b6ff92f6ee77c2137508af9951ef9733ab

SHA256
db3f2883f1c477b95fa4b84fb1c89c0c92e8df35eee2378a53365c6b3dea2846

SHA512
e246cf78888f406ee33cea410299a1e496ed0da9e9de795d4abf05050d544d70ac9c3a7daf4c7399e5304e519a8b910842e2f0b04f1cc649e6ef28fa3f4d5045

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCF75.tmp.bat

Filesize
148B

MD5
63707213cedb25a12c57f7b747ec9339

SHA1
ff8f923c124e218fcbbeb38f68de0ed88ec5102a

SHA256
0b9a3b066b807ce9f169873904db8bc663a0cd48e90d4760f95a215ba7abd0a5

SHA512
e05abac8ff49c216ea533ebd07ab86830e373ed3c96e3ba6afca18aa5c6d972cf85dd41ab405c471aa37d646e8ef41371de930289257cfdc7813dd000e5fd2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD84F.tmp.bat

Filesize
148B

MD5
f16a3ad7f5e0de9a55e32b1cfdd454b7

SHA1
ca1893f21ffc95c5773d8ffcad3dcf8dfede9984

SHA256
8b7d05f6dda0b1a25a14dcf14cd0562ddf98a5b1eceabaeabbcb3fea92fc7c53

SHA512
d838c8ac42b82a59ee6db0c35c1cebd119eea846e1b6135fe0cc892ee734e89bddf28a79d009e0c2df07091f8b31b6b1227f131c06ca1e38b226ef06b3e1aaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE157.tmp.bat

Filesize
148B

MD5
3403acdcd62edebda7b3c5dc88f11949

SHA1
60fee42541bea18dda485dc00df01ebfa56a3c76

SHA256
17b6d8200082b18c881af72b7c51a49fd276cdfd6c805ccd104c8a7a5c4d1d74

SHA512
1a09ff093c55832e6cc47118f87bfd8bf536548bea8c49c146b8bf09d75e8f0b03201546fa3b2974aa0990f04038aa5a30771af3e97488cf0020c5f8f223db30

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/640-102-0x00000000065C0000-0x00000000065CA000-memory.dmp

Filesize
40KB

Download
memory/980-33-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/980-32-0x00000000056A0000-0x0000000005C44000-memory.dmp

Filesize
5.6MB

Download
memory/980-31-0x0000000000890000-0x00000000008A8000-memory.dmp

Filesize
96KB

Download
memory/4080-30-0x00007FFF48350000-0x00007FFF48E11000-memory.dmp

Filesize
10.8MB

Download
memory/4080-4-0x00007FFF48350000-0x00007FFF48E11000-memory.dmp

Filesize
10.8MB

Download
memory/4080-0-0x00007FFF48353000-0x00007FFF48355000-memory.dmp

Filesize
8KB

Download
memory/4080-1-0x0000000000550000-0x0000000000770000-memory.dmp

Filesize
2.1MB

Download
memory/4204-85-0x00000000068A0000-0x00000000068EC000-memory.dmp

Filesize
304KB

Download
memory/4204-98-0x0000000007820000-0x000000000783E000-memory.dmp

Filesize
120KB

Download
memory/4204-99-0x0000000007A50000-0x0000000007AF3000-memory.dmp

Filesize
652KB

Download
memory/4204-100-0x00000000081D0000-0x000000000884A000-memory.dmp

Filesize
6.5MB

Download
memory/4204-101-0x0000000007B90000-0x0000000007BAA000-memory.dmp

Filesize
104KB

Download
memory/4204-87-0x0000000071370000-0x00000000713BC000-memory.dmp

Filesize
304KB

Download
memory/4204-103-0x0000000007C00000-0x0000000007C0A000-memory.dmp

Filesize
40KB

Download
memory/4204-107-0x0000000007E10000-0x0000000007EA6000-memory.dmp

Filesize
600KB

Download
memory/4204-86-0x0000000006E30000-0x0000000006E62000-memory.dmp

Filesize
200KB

Download
memory/4204-108-0x0000000007D90000-0x0000000007DA1000-memory.dmp

Filesize
68KB

Download
memory/4204-84-0x0000000006860000-0x000000000687E000-memory.dmp

Filesize
120KB

Download
memory/4204-114-0x0000000007DC0000-0x0000000007DCE000-memory.dmp

Filesize
56KB

Download
memory/4204-115-0x0000000007DD0000-0x0000000007DE4000-memory.dmp

Filesize
80KB

Download
memory/4204-116-0x0000000007ED0000-0x0000000007EEA000-memory.dmp

Filesize
104KB

Download
memory/4204-117-0x0000000007EB0000-0x0000000007EB8000-memory.dmp

Filesize
32KB

Download
memory/4204-83-0x0000000006220000-0x0000000006574000-memory.dmp

Filesize
3.3MB

Download
memory/4204-72-0x0000000006140000-0x00000000061A6000-memory.dmp

Filesize
408KB

Download
memory/4204-73-0x00000000061B0000-0x0000000006216000-memory.dmp

Filesize
408KB

Download
memory/4204-70-0x0000000005830000-0x0000000005852000-memory.dmp

Filesize
136KB

Download
memory/4204-60-0x0000000005A10000-0x0000000006038000-memory.dmp

Filesize
6.2MB

Download
memory/4204-55-0x0000000005210000-0x0000000005246000-memory.dmp

Filesize
216KB

Download
memory/4248-38-0x00007FFF48350000-0x00007FFF48E11000-memory.dmp

Filesize
10.8MB

Download
memory/4248-28-0x0000000000C50000-0x0000000000C68000-memory.dmp

Filesize
96KB

Download
memory/4248-27-0x00007FFF48350000-0x00007FFF48E11000-memory.dmp

Filesize
10.8MB

Download