asyncrat | 89057bbeb5618835524cf8fc3a645fc5137553638520e763901fa1f2f8cdbe66

Analysis

max time kernel
893s
max time network
441s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05-01-2025 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

2.1MB
MD5

084519881ac16c16cf9206f97a68f79e
SHA1

7b0fbc312ec9176a69ccb3036636e2423320cd79
SHA256

89057bbeb5618835524cf8fc3a645fc5137553638520e763901fa1f2f8cdbe66
SHA512

84b2867560cdbd3ca797196b208495631e49a87a2ea7451d6d68b52ea1ada0546c81d9b2e37b630440565cd53661c6541eb91c8bd662bb10780f87a7c7db5633
SSDEEP

49152:4ZZosvRgdkadC7i03aQAZutzArxizJZTrEbupmpVwMgc:4ZZostak7RGuqGJZXdpmIn

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

193.161.193.99:53757

Mutex

hsaurcrgqwhjimnkbht

Attributes

delay
1
install
true
install_file
Load.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0028000000046104-20.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2216	powershell.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Load.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	Process not Found

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk	Done.exe

Executes dropped EXE 64 IoCs

pid	Process
4128	Done.exe
4664	Load.exe
1860	Done.exe
2792	Load.exe
2288	apihost.exe
244	Done.exe
3676	Load.exe
1636	Done.exe
2608	Load.exe
5064	Load.exe
3384	Done.exe
2384	Load.exe
4908	Load.exe
3860	Done.exe
2220	Load.exe
1424	Done.exe
2112	Load.exe
4128	Load.exe
4820	Done.exe
1888	Load.exe
3644	Done.exe
1644	Load.exe
2652	Load.exe
1780	Done.exe
624	Load.exe
1832	Load.exe
4728	Done.exe
880	Load.exe
1252	Load.exe
2712	Done.exe
1404	Load.exe
1988	Load.exe
572	Done.exe
4836	Load.exe
2612	Load.exe
2940	Done.exe
5092	Load.exe
1804	Load.exe
388	Done.exe
4184	Load.exe
476	Load.exe
1356	Done.exe
3384	Load.exe
4908	Load.exe
3836	Done.exe
4464	Load.exe
3104	Load.exe
948	Done.exe
4896	Load.exe
884	Load.exe
2564	Done.exe
1848	Load.exe
3812	Load.exe
2288	Done.exe
1756	Load.exe
2648	Load.exe
1792	Done.exe
4348	Load.exe
1932	Load.exe
2440	Done.exe
1852	Load.exe
4796	Load.exe
3812	Done.exe
3208	Load.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apihost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Done.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
2336	Process not Found
3380	timeout.exe
1700	timeout.exe
4864	timeout.exe
4332	Process not Found
2944	Process not Found
1128	Process not Found
5112	Process not Found
4256	Process not Found
2308	Process not Found
1888	Process not Found
3336	timeout.exe
3128	timeout.exe
4260	Process not Found
2240	Process not Found
1424	Process not Found
3036	Process not Found
4480	Process not Found
4576	Process not Found
3036	timeout.exe
1044	timeout.exe
5100	Process not Found
1480	Process not Found
4188	Process not Found
392	Process not Found
4464	timeout.exe
3680	Process not Found
2552	Process not Found
4256	timeout.exe
1656	timeout.exe
1584	timeout.exe
828	timeout.exe
2104	timeout.exe
2580	Process not Found
3720	Process not Found
4032	Process not Found
3632	Process not Found
1428	Process not Found
5088	Process not Found
1176	Process not Found
3904	Process not Found
4448	Process not Found
3488	timeout.exe
1792	timeout.exe
4188	timeout.exe
2404	Process not Found
3860	Process not Found
4656	Process not Found
4192	Process not Found
3452	timeout.exe
2584	Process not Found
3764	Process not Found
3912	Process not Found
2656	Process not Found
2620	timeout.exe
4712	timeout.exe
4284	timeout.exe
3572	timeout.exe
4912	timeout.exe
2744	timeout.exe
2348	timeout.exe
3928	Process not Found
3860	Process not Found
2452	Process not Found

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4060	Process not Found
1456	Process not Found
4980	Process not Found
4120	Process not Found
4672	schtasks.exe
408	Process not Found
3432	Process not Found
3424	Process not Found
3752	schtasks.exe
3276	Process not Found
772	Process not Found
3452	Process not Found
1936	Process not Found
2028	Process not Found
4120	Process not Found
2172	Process not Found
3444	schtasks.exe
4084	schtasks.exe
1068	Process not Found
4516	Process not Found
5016	Process not Found
3972	Process not Found
2184	Process not Found
3468	Process not Found
2480	schtasks.exe
1624	Process not Found
428	Process not Found
3388	schtasks.exe
4444	Process not Found
476	schtasks.exe
1940	schtasks.exe
2776	schtasks.exe
1308	Process not Found
1840	schtasks.exe
1832	schtasks.exe
3676	Process not Found
4776	Process not Found
2788	Process not Found
2944	Process not Found
4312	Process not Found
3400	Process not Found
3756	schtasks.exe
2156	Process not Found
1176	Process not Found
1632	Process not Found
2720	Process not Found
3324	Process not Found
1684	schtasks.exe
4500	schtasks.exe
4992	Process not Found
3760	Process not Found
1156	Process not Found
4624	Process not Found
4568	Process not Found
2760	schtasks.exe
1516	Process not Found
4676	Process not Found
668	Process not Found
2648	Process not Found
1940	Process not Found
2656	schtasks.exe
3332	Process not Found
2700	Process not Found
3884	Process not Found

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1860	Done.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4664	Load.exe
4664	Load.exe
4664	Load.exe
4664	Load.exe
4664	Load.exe
4664	Load.exe
4664	Load.exe
4664	Load.exe
4664	Load.exe
4664	Load.exe
4664	Load.exe
4664	Load.exe
4664	Load.exe
4664	Load.exe
4664	Load.exe
4664	Load.exe
4664	Load.exe
4664	Load.exe
4664	Load.exe
4664	Load.exe
4664	Load.exe
2216	powershell.exe
2216	powershell.exe
2792	Load.exe
2792	Load.exe
2792	Load.exe
2792	Load.exe
2792	Load.exe
2792	Load.exe
2792	Load.exe
2792	Load.exe
2792	Load.exe
2792	Load.exe
2792	Load.exe
2792	Load.exe
2792	Load.exe
2792	Load.exe
2792	Load.exe
2792	Load.exe
2792	Load.exe
2792	Load.exe
2792	Load.exe
2792	Load.exe
2792	Load.exe
3676	Load.exe
3676	Load.exe
3676	Load.exe
3676	Load.exe
3676	Load.exe
3676	Load.exe
3676	Load.exe
3676	Load.exe
3676	Load.exe
3676	Load.exe
3676	Load.exe
3676	Load.exe
3676	Load.exe
3676	Load.exe
3676	Load.exe
3676	Load.exe
3676	Load.exe
3676	Load.exe
3676	Load.exe
3676	Load.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4664	Load.exe
Token: SeDebugPrivilege	2792	Load.exe
Token: SeDebugPrivilege	4128	Done.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	1860	Done.exe
Token: SeDebugPrivilege	3676	Load.exe
Token: SeIncreaseQuotaPrivilege	2216	powershell.exe
Token: SeSecurityPrivilege	2216	powershell.exe
Token: SeTakeOwnershipPrivilege	2216	powershell.exe
Token: SeLoadDriverPrivilege	2216	powershell.exe
Token: SeSystemProfilePrivilege	2216	powershell.exe
Token: SeSystemtimePrivilege	2216	powershell.exe
Token: SeProfSingleProcessPrivilege	2216	powershell.exe
Token: SeIncBasePriorityPrivilege	2216	powershell.exe
Token: SeCreatePagefilePrivilege	2216	powershell.exe
Token: SeBackupPrivilege	2216	powershell.exe
Token: SeRestorePrivilege	2216	powershell.exe
Token: SeShutdownPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeSystemEnvironmentPrivilege	2216	powershell.exe
Token: SeRemoteShutdownPrivilege	2216	powershell.exe
Token: SeUndockPrivilege	2216	powershell.exe
Token: SeManageVolumePrivilege	2216	powershell.exe
Token: 33	2216	powershell.exe
Token: 34	2216	powershell.exe
Token: 35	2216	powershell.exe
Token: 36	2216	powershell.exe
Token: SeDebugPrivilege	2608	Load.exe
Token: SeDebugPrivilege	5064	Load.exe
Token: SeDebugPrivilege	2384	Load.exe
Token: SeDebugPrivilege	4908	Load.exe
Token: SeDebugPrivilege	2220	Load.exe
Token: SeDebugPrivilege	2112	Load.exe
Token: SeDebugPrivilege	4128	Load.exe
Token: SeDebugPrivilege	1888	Load.exe
Token: SeDebugPrivilege	1644	Load.exe
Token: SeDebugPrivilege	2652	Load.exe
Token: SeDebugPrivilege	624	Load.exe
Token: SeDebugPrivilege	1832	Load.exe
Token: SeDebugPrivilege	880	Load.exe
Token: SeDebugPrivilege	1252	Load.exe
Token: SeDebugPrivilege	1404	Load.exe
Token: SeDebugPrivilege	1988	Load.exe
Token: SeDebugPrivilege	4836	Load.exe
Token: SeDebugPrivilege	2612	Load.exe
Token: SeDebugPrivilege	5092	Load.exe
Token: SeDebugPrivilege	1804	Load.exe
Token: SeDebugPrivilege	4184	Load.exe
Token: SeDebugPrivilege	476	Load.exe
Token: SeDebugPrivilege	3384	Load.exe
Token: SeDebugPrivilege	4908	Load.exe
Token: SeDebugPrivilege	4464	Load.exe
Token: SeDebugPrivilege	3104	Load.exe
Token: SeDebugPrivilege	4896	Load.exe
Token: SeDebugPrivilege	884	Load.exe
Token: SeDebugPrivilege	1848	Load.exe
Token: SeDebugPrivilege	3812	Load.exe
Token: SeDebugPrivilege	1756	Load.exe
Token: SeDebugPrivilege	2648	Load.exe
Token: SeDebugPrivilege	4348	Load.exe
Token: SeDebugPrivilege	1932	Load.exe
Token: SeDebugPrivilege	1852	Load.exe
Token: SeDebugPrivilege	4796	Load.exe
Token: SeDebugPrivilege	3208	Load.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 4128	1524	Loader.exe	83
PID 1524 wrote to memory of 4128	1524	Loader.exe	83
PID 1524 wrote to memory of 4128	1524	Loader.exe	83
PID 1524 wrote to memory of 4664	1524	Loader.exe	84
PID 1524 wrote to memory of 4664	1524	Loader.exe	84
PID 1524 wrote to memory of 1752	1524	Loader.exe	85
PID 1524 wrote to memory of 1752	1524	Loader.exe	85
PID 4664 wrote to memory of 1072	4664	Load.exe	89
PID 4664 wrote to memory of 1072	4664	Load.exe	89
PID 4664 wrote to memory of 4180	4664	Load.exe	90
PID 4664 wrote to memory of 4180	4664	Load.exe	90
PID 4180 wrote to memory of 900	4180	cmd.exe	94
PID 4180 wrote to memory of 900	4180	cmd.exe	94
PID 1072 wrote to memory of 4056	1072	cmd.exe	95
PID 1072 wrote to memory of 4056	1072	cmd.exe	95
PID 1752 wrote to memory of 1860	1752	Loader.exe	96
PID 1752 wrote to memory of 1860	1752	Loader.exe	96
PID 1752 wrote to memory of 1860	1752	Loader.exe	96
PID 1752 wrote to memory of 2792	1752	Loader.exe	97
PID 1752 wrote to memory of 2792	1752	Loader.exe	97
PID 1752 wrote to memory of 784	1752	Loader.exe	98
PID 1752 wrote to memory of 784	1752	Loader.exe	98
PID 4128 wrote to memory of 2216	4128	Done.exe	99
PID 4128 wrote to memory of 2216	4128	Done.exe	99
PID 4128 wrote to memory of 2216	4128	Done.exe	99
PID 4128 wrote to memory of 1948	4128	Done.exe	101
PID 4128 wrote to memory of 1948	4128	Done.exe	101
PID 4128 wrote to memory of 1948	4128	Done.exe	101
PID 4128 wrote to memory of 2288	4128	Done.exe	103
PID 4128 wrote to memory of 2288	4128	Done.exe	103
PID 4128 wrote to memory of 2288	4128	Done.exe	103
PID 2792 wrote to memory of 2092	2792	Load.exe	104
PID 2792 wrote to memory of 2092	2792	Load.exe	104
PID 2092 wrote to memory of 4696	2092	cmd.exe	106
PID 2092 wrote to memory of 4696	2092	cmd.exe	106
PID 784 wrote to memory of 244	784	Loader.exe	107
PID 784 wrote to memory of 244	784	Loader.exe	107
PID 784 wrote to memory of 244	784	Loader.exe	107
PID 784 wrote to memory of 3676	784	Loader.exe	108
PID 784 wrote to memory of 3676	784	Loader.exe	108
PID 784 wrote to memory of 3844	784	Loader.exe	109
PID 784 wrote to memory of 3844	784	Loader.exe	109
PID 2792 wrote to memory of 1504	2792	Load.exe	112
PID 2792 wrote to memory of 1504	2792	Load.exe	112
PID 1504 wrote to memory of 3492	1504	cmd.exe	114
PID 1504 wrote to memory of 3492	1504	cmd.exe	114
PID 3676 wrote to memory of 564	3676	Load.exe	116
PID 3676 wrote to memory of 564	3676	Load.exe	116
PID 564 wrote to memory of 2280	564	cmd.exe	118
PID 564 wrote to memory of 2280	564	cmd.exe	118
PID 3844 wrote to memory of 1636	3844	Loader.exe	119
PID 3844 wrote to memory of 1636	3844	Loader.exe	119
PID 3844 wrote to memory of 1636	3844	Loader.exe	119
PID 3844 wrote to memory of 2608	3844	Loader.exe	120
PID 3844 wrote to memory of 2608	3844	Loader.exe	120
PID 3844 wrote to memory of 1072	3844	Loader.exe	121
PID 3844 wrote to memory of 1072	3844	Loader.exe	121
PID 3676 wrote to memory of 3792	3676	Load.exe	122
PID 3676 wrote to memory of 3792	3676	Load.exe	122
PID 1504 wrote to memory of 5064	1504	cmd.exe	124
PID 1504 wrote to memory of 5064	1504	cmd.exe	124
PID 3792 wrote to memory of 1704	3792	cmd.exe	125
PID 3792 wrote to memory of 1704	3792	cmd.exe	125
PID 1072 wrote to memory of 3384	1072	Loader.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\Done.exe
  "C:\Users\Admin\AppData\Local\Temp\Done.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\ACCApi'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Local\ACCApi\apihost.exe" /st 06:14 /du 23:59 /sc daily /ri 1 /f
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\ACCApi\apihost.exe
    "C:\Users\Admin\AppData\Local\ACCApi\apihost.exe"
    3⤵
    - Executes dropped EXE
    PID:2288
- C:\Users\Admin\AppData\Local\Temp\Load.exe
  "C:\Users\Admin\AppData\Local\Temp\Load.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
      4⤵
      PID:4056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6C08.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      PID:900
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\Done.exe
    "C:\Users\Admin\AppData\Local\Temp\Done.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    PID:1860
- - C:\Users\Admin\AppData\Local\Temp\Load.exe
    "C:\Users\Admin\AppData\Local\Temp\Load.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        5⤵
        
        PID:4696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7966.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        
        PID:3492
    - - C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5064
- - C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:784
  - - C:\Users\Admin\AppData\Local\Temp\Done.exe
      "C:\Users\Admin\AppData\Local\Temp\Done.exe"
      4⤵
      Executes dropped EXE
      PID:244
  - - C:\Users\Admin\AppData\Local\Temp\Load.exe
      "C:\Users\Admin\AppData\Local\Temp\Load.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:564
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        6⤵
        
        PID:2280
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp81D2.tmp.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3792
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        
        PID:1704
      - C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3844
    - - C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        5⤵
        Executes dropped EXE
        
        PID:1636
    - - C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        6⤵
        
        PID:2648
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        7⤵
        
        PID:1128
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8D4C.tmp.bat""
        6⤵
        
        PID:1076
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:3380
    - - C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1072
      - C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        6⤵
        Executes dropped EXE
        
        PID:3384
      - C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        7⤵
        
        PID:360
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        8⤵
        
        PID:4192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9376.tmp.bat""
        7⤵
        
        PID:2012
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        8⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
      - C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        6⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        7⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        8⤵
        
        PID:3756
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        9⤵
        
        PID:4836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9C7E.tmp.bat""
        8⤵
        
        PID:4708
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        9⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        7⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        8⤵
        Executes dropped EXE
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        9⤵
        
        PID:1292
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        10⤵
        
        PID:3760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA596.tmp.bat""
        9⤵
        
        PID:424
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        10⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        8⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        10⤵
        
        PID:2568
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        11⤵
        
        PID:2140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAE70.tmp.bat""
        10⤵
        
        PID:360
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        11⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        9⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        10⤵
        Executes dropped EXE
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        11⤵
        
        PID:572
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        12⤵
        
        PID:580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB72A.tmp.bat""
        11⤵
        
        PID:3200
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        12⤵
        Delays execution with timeout.exe
        
        PID:3036
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        10⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        11⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        12⤵
        
        PID:3760
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        13⤵
        
        PID:1796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC043.tmp.bat""
        12⤵
        
        PID:3336
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        13⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        11⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        12⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        13⤵
        
        PID:4776
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        14⤵
        
        PID:8
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC93B.tmp.bat""
        13⤵
        
        PID:4908
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        14⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        12⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        13⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        14⤵
        
        PID:3384
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        15⤵
        
        PID:3676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD234.tmp.bat""
        14⤵
        
        PID:1832
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        15⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        13⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        14⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        15⤵
        
        PID:2308
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDA91.tmp.bat""
        15⤵
        
        PID:1824
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        16⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        14⤵
        Checks computer location settings
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        15⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        16⤵
        
        PID:4704
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        17⤵
        
        PID:4712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE34B.tmp.bat""
        16⤵
        
        PID:1988
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        17⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        15⤵
        Checks computer location settings
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        16⤵
        Executes dropped EXE
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        17⤵
        
        PID:916
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        18⤵
        
        PID:2616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEBC7.tmp.bat""
        17⤵
        
        PID:1796
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        18⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        16⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        17⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        18⤵
        
        PID:3760
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        19⤵
        
        PID:1776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF4B0.tmp.bat""
        18⤵
        
        PID:4772
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        19⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        17⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        18⤵
        Executes dropped EXE
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        19⤵
        
        PID:1804
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        20⤵
        
        PID:1596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFD4C.tmp.bat""
        19⤵
        
        PID:2160
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        20⤵
        Delays execution with timeout.exe
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        18⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        19⤵
        Executes dropped EXE
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        20⤵
        
        PID:1544
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp673.tmp.bat""
        20⤵
        
        PID:3388
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        21⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        19⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        20⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        21⤵
        
        PID:3140
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        22⤵
        
        PID:904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF1E.tmp.bat""
        21⤵
        
        PID:4180
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        22⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        20⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        21⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        22⤵
        
        PID:3384
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        23⤵
        
        PID:5088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1827.tmp.bat""
        22⤵
        
        PID:4712
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        23⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        21⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        22⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        23⤵
        
        PID:568
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        24⤵
        
        PID:5028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp20B2.tmp.bat""
        23⤵
        
        PID:3036
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        24⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        24⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        22⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        24⤵
        
        PID:2020
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        25⤵
        
        PID:3176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp29F9.tmp.bat""
        24⤵
        
        PID:4588
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        25⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        25⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        23⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        24⤵
        Executes dropped EXE
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        25⤵
        
        PID:4192
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        26⤵
        
        PID:2648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3285.tmp.bat""
        25⤵
        
        PID:3104
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        26⤵
        Delays execution with timeout.exe
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        26⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        24⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        25⤵
        
        PID:2404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        26⤵
        
        PID:1188
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        27⤵
        
        PID:1932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3B4F.tmp.bat""
        26⤵
        
        PID:1752
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        27⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        27⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        25⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        26⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        26⤵
        
        PID:1596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        27⤵
        
        PID:8
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        28⤵
        
        PID:4724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp44E4.tmp.bat""
        27⤵
        
        PID:4336
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        28⤵
        Delays execution with timeout.exe
        
        PID:3488
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        28⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        26⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        27⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        27⤵
        
        PID:476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        28⤵
        
        PID:2564
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        29⤵
        
        PID:624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4DAE.tmp.bat""
        28⤵
        
        PID:4356
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        29⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        29⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        27⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        28⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        28⤵
        
        PID:2908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        29⤵
        
        PID:4216
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp56D5.tmp.bat""
        29⤵
        
        PID:1128
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        30⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        30⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        28⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        29⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        29⤵
        
        PID:4684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        30⤵
        
        PID:2320
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        31⤵
        
        PID:984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5FDE.tmp.bat""
        30⤵
        
        PID:4884
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        31⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        31⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        29⤵
        
        PID:244
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        30⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        30⤵
        
        PID:4500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        31⤵
        
        PID:1596
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        32⤵
        
        PID:2472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6879.tmp.bat""
        31⤵
        
        PID:3336
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        32⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        32⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        30⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        31⤵
        
        PID:4904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        32⤵
        
        PID:656
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        33⤵
        
        PID:2436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7153.tmp.bat""
        32⤵
        
        PID:2656
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        33⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        33⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        31⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        32⤵
        Checks computer location settings
        
        PID:1084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        33⤵
        
        PID:4256
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        34⤵
        
        PID:1616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp79BF.tmp.bat""
        33⤵
        
        PID:236
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        34⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        34⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        32⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        33⤵
        
        PID:3492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        34⤵
        
        PID:1800
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        35⤵
        
        PID:1184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8335.tmp.bat""
        34⤵
        
        PID:428
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        35⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        35⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        33⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        34⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        34⤵
        
        PID:4612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        35⤵
        
        PID:4908
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        36⤵
        
        PID:3176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8BC0.tmp.bat""
        35⤵
        
        PID:2564
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        36⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        36⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        34⤵
        Checks computer location settings
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        35⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        35⤵
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        36⤵
        
        PID:1276
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        37⤵
        
        PID:3692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp94E8.tmp.bat""
        36⤵
        
        PID:2152
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        37⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        37⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        35⤵
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        36⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        36⤵
        
        PID:4484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        37⤵
        
        PID:4344
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        38⤵
        
        PID:2308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9D64.tmp.bat""
        37⤵
        
        PID:1632
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        38⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        38⤵
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        36⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        37⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        37⤵
        
        PID:4852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        38⤵
        
        PID:1700
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        39⤵
        
        PID:3672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA65D.tmp.bat""
        38⤵
        
        PID:3280
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        39⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        39⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        37⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        38⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        38⤵
        Checks computer location settings
        
        PID:2292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        39⤵
        
        PID:2352
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        40⤵
        
        PID:2620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAF56.tmp.bat""
        39⤵
        
        PID:2760
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        40⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        40⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        38⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        39⤵
        
        PID:2324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        40⤵
        
        PID:1428
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        41⤵
        
        PID:4120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB82F.tmp.bat""
        40⤵
        
        PID:2628
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        41⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        41⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        39⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        40⤵
        
        PID:856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        41⤵
        
        PID:1068
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        42⤵
        
        PID:3676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC147.tmp.bat""
        41⤵
        
        PID:2280
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        42⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        40⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        41⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        41⤵
        
        PID:1168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        42⤵
        
        PID:4144
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        43⤵
        
        PID:4216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCA60.tmp.bat""
        42⤵
        
        PID:3156
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        43⤵
        
        PID:244
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        43⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        41⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        42⤵
        Checks computer location settings
        
        PID:2932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        43⤵
        
        PID:2676
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        44⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD397.tmp.bat""
        43⤵
        
        PID:2612
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        44⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        44⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        42⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        43⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        43⤵
        
        PID:1128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        44⤵
        
        PID:4464
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        45⤵
        
        PID:4960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDC51.tmp.bat""
        44⤵
        
        PID:2264
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        45⤵
        Delays execution with timeout.exe
        
        PID:1792
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        45⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        43⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        44⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        44⤵
        
        PID:64
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        45⤵
        
        PID:2384
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        46⤵
        
        PID:4504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE55A.tmp.bat""
        45⤵
        
        PID:2456
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        46⤵
        
        PID:476
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        46⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        44⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        45⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        45⤵
        
        PID:916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        46⤵
        
        PID:3048
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        47⤵
        
        PID:1804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEE72.tmp.bat""
        46⤵
        
        PID:2628
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        47⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        47⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        45⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        46⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        46⤵
        
        PID:832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        47⤵
        
        PID:2672
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        48⤵
        
        PID:1648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF74C.tmp.bat""
        47⤵
        
        PID:2480
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        48⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        48⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        46⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        47⤵
        
        PID:3624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        48⤵
        
        PID:4180
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        49⤵
        
        PID:4584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp44.tmp.bat""
        48⤵
        
        PID:2164
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        49⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        49⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        47⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        48⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        48⤵
        
        PID:3672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        49⤵
        
        PID:1896
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        50⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8D0.tmp.bat""
        49⤵
        
        PID:3628
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        50⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        50⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        48⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        49⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        49⤵
        
        PID:2124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        50⤵
        
        PID:2000
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        51⤵
        
        PID:2820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp11F8.tmp.bat""
        50⤵
        
        PID:1576
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        51⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        51⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        49⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        50⤵
        
        PID:2292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        51⤵
        
        PID:1068
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        52⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1AD1.tmp.bat""
        51⤵
        
        PID:2772
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        52⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        52⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        50⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        51⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        51⤵
        
        PID:564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        52⤵
        
        PID:4608
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        53⤵
        
        PID:1276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp23BB.tmp.bat""
        52⤵
        
        PID:2336
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        53⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        53⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        51⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        52⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        52⤵
        
        PID:4532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        53⤵
        
        PID:1520
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        54⤵
        
        PID:452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2D02.tmp.bat""
        53⤵
        
        PID:2052
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        54⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        54⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        52⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        53⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        53⤵
        
        PID:4696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        54⤵
        
        PID:4384
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        55⤵
        
        PID:1000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp35AC.tmp.bat""
        54⤵
        
        PID:1696
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        55⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        55⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        53⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        54⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        54⤵
        
        PID:2352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        55⤵
        
        PID:2472
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        56⤵
        
        PID:2108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3E57.tmp.bat""
        55⤵
        
        PID:2372
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        56⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        56⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        54⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        55⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        55⤵
        
        PID:4980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        56⤵
        
        PID:8
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        57⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4721.tmp.bat""
        56⤵
        
        PID:4360
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        57⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        57⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        55⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        56⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        56⤵
        
        PID:1812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        57⤵
        
        PID:4784
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        58⤵
        
        PID:4284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4FEB.tmp.bat""
        57⤵
        
        PID:3620
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        58⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        58⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        56⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        57⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        57⤵
        
        PID:2104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        58⤵
        
        PID:3324
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        59⤵
        
        PID:4732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5951.tmp.bat""
        58⤵
        
        PID:4532
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        59⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        59⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        57⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        58⤵
        
        PID:4660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        59⤵
        
        PID:384
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        60⤵
        
        PID:3416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp61DD.tmp.bat""
        59⤵
        
        PID:1940
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        60⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        60⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        58⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        59⤵
        
        PID:1740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        60⤵
        
        PID:4844
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        61⤵
        
        PID:1924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6B05.tmp.bat""
        60⤵
        
        PID:2792
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        61⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        61⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        59⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        60⤵
        
        PID:4432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        61⤵
        
        PID:3956
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        62⤵
        
        PID:2496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp741D.tmp.bat""
        61⤵
        
        PID:3372
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        62⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        62⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        60⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        61⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        61⤵
        
        PID:3400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        62⤵
        
        PID:4804
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        63⤵
        
        PID:3716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7CE7.tmp.bat""
        62⤵
        
        PID:4520
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        63⤵
        Delays execution with timeout.exe
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        61⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        62⤵
        
        PID:1276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        63⤵
        
        PID:4356
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        64⤵
        
        PID:3036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp85EF.tmp.bat""
        63⤵
        
        PID:1936
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        64⤵
        Delays execution with timeout.exe
        
        PID:4256
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        64⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        62⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        63⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        63⤵
        
        PID:1180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        64⤵
        
        PID:3988
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        65⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8F46.tmp.bat""
        64⤵
        
        PID:4540
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        65⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        65⤵
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        63⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        64⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        64⤵
        
        PID:2336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        65⤵
        
        PID:1084
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        66⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp98AC.tmp.bat""
        65⤵
        
        PID:3844
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        66⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        66⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        64⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        65⤵
        
        PID:2472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        66⤵
        
        PID:2552
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        67⤵
        
        PID:4592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA232.tmp.bat""
        66⤵
        
        PID:3360
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        67⤵
        Delays execution with timeout.exe
        
        PID:4284
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        67⤵
        
        PID:188
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        65⤵
        Checks computer location settings
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        66⤵
        
        PID:5044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        67⤵
        
        PID:2192
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        68⤵
        
        PID:4208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAB69.tmp.bat""
        67⤵
        
        PID:224
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        68⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        68⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        66⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        67⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        67⤵
        
        PID:4500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        68⤵
        
        PID:1736
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        69⤵
        
        PID:1988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB404.tmp.bat""
        68⤵
        
        PID:2428
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        69⤵
        Delays execution with timeout.exe
        
        PID:3452
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        69⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        67⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        68⤵
        
        PID:1048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        69⤵
        
        PID:3628
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        70⤵
        
        PID:1940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBD6A.tmp.bat""
        69⤵
        
        PID:2404
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        70⤵
        Delays execution with timeout.exe
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        70⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        68⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        69⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        69⤵
        
        PID:2576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        70⤵
        
        PID:2000
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        71⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC625.tmp.bat""
        70⤵
        
        PID:4896
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        71⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        71⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        69⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        70⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        70⤵
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        71⤵
        
        PID:396
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        72⤵
        
        PID:3956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCF2D.tmp.bat""
        71⤵
        
        PID:3348
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        72⤵
        Delays execution with timeout.exe
        
        PID:4188
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        72⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        70⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        71⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        71⤵
        Checks computer location settings
        
        PID:2064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        72⤵
        
        PID:3400
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        73⤵
        
        PID:4804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD807.tmp.bat""
        72⤵
        
        PID:4960
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        73⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        73⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        71⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        72⤵
        
        PID:2740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        73⤵
        
        PID:2448
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        74⤵
        
        PID:1488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE11F.tmp.bat""
        73⤵
        
        PID:4844
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        74⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        74⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        72⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        73⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        73⤵
        
        PID:4256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        74⤵
        
        PID:4752
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        75⤵
        
        PID:2700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEA27.tmp.bat""
        74⤵
        
        PID:2316
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        75⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        73⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        74⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        74⤵
        
        PID:3840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        75⤵
        
        PID:2336
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        76⤵
        
        PID:2424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF3EB.tmp.bat""
        75⤵
        
        PID:4768
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        76⤵
        
        PID:476
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        76⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        74⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        75⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        75⤵
        
        PID:2152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        76⤵
        
        PID:3752
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        77⤵
        
        PID:2672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFD42.tmp.bat""
        76⤵
        
        PID:4608
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        77⤵
        Delays execution with timeout.exe
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        77⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        75⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        76⤵
        
        PID:388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        77⤵
        
        PID:232
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        78⤵
        
        PID:2200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp64B.tmp.bat""
        77⤵
        
        PID:4192
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        78⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        78⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        76⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        77⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        77⤵
        
        PID:3252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        78⤵
        
        PID:1100
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        79⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF34.tmp.bat""
        78⤵
        
        PID:1896
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        79⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        79⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        77⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        78⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        78⤵
        
        PID:4860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        79⤵
        
        PID:3796
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        80⤵
        
        PID:4796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp184C.tmp.bat""
        79⤵
        
        PID:2012
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        80⤵
        Delays execution with timeout.exe
        
        PID:3336
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        80⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        78⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        79⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        79⤵
        
        PID:3208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        80⤵
        
        PID:2828
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        81⤵
        
        PID:1128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2154.tmp.bat""
        80⤵
        
        PID:2188
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        81⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        81⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        79⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        80⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        80⤵
        Checks computer location settings
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        81⤵
        
        PID:4892
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        82⤵
        
        PID:3616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2A7C.tmp.bat""
        81⤵
        
        PID:852
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        82⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        82⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        80⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        81⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        81⤵
        
        PID:540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        82⤵
        
        PID:3488
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        83⤵
        
        PID:2748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp33B4.tmp.bat""
        82⤵
        
        PID:904
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        83⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        83⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        81⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        82⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        82⤵
        
        PID:1312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        83⤵
        
        PID:4128
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        84⤵
        
        PID:708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3C8D.tmp.bat""
        83⤵
        
        PID:1704
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        84⤵
        Delays execution with timeout.exe
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        82⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        83⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        83⤵
        
        PID:4432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        84⤵
        
        PID:1504
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        85⤵
        
        PID:3968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4596.tmp.bat""
        84⤵
        
        PID:4692
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        85⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        85⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        83⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        84⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        84⤵
        
        PID:3860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        85⤵
        
        PID:2792
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        86⤵
        
        PID:876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4ECD.tmp.bat""
        85⤵
        
        PID:4704
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        86⤵
        Delays execution with timeout.exe
        
        PID:828
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        86⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        84⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        85⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        85⤵
        Checks computer location settings
        
        PID:3616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        86⤵
        
        PID:4884
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        87⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp57D6.tmp.bat""
        86⤵
        
        PID:2064
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        87⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        87⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        85⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        86⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        86⤵
        
        PID:1248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        87⤵
        
        PID:388
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        88⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp60AF.tmp.bat""
        87⤵
        
        PID:1988
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        88⤵
        Delays execution with timeout.exe
        
        PID:4464
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        88⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        86⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        87⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        87⤵
        
        PID:408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        88⤵
        
        PID:3252
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        89⤵
        
        PID:3416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6A25.tmp.bat""
        88⤵
        
        PID:4776
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        89⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        89⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        87⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        88⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        88⤵
        
        PID:1148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        89⤵
        
        PID:948
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        90⤵
        
        PID:1084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp734D.tmp.bat""
        89⤵
        
        PID:4208
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        90⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        90⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        88⤵
        Checks computer location settings
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        89⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        89⤵
        
        PID:3716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        90⤵
        
        PID:1904
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        91⤵
        
        PID:1596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7C07.tmp.bat""
        90⤵
        
        PID:3896
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        91⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        91⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        89⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        90⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        90⤵
        
        PID:1620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        91⤵
        
        PID:2200
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        92⤵
        
        PID:2372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp84B2.tmp.bat""
        91⤵
        
        PID:3884
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        92⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        92⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        90⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        91⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        91⤵
        
        PID:4608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        92⤵
        
        PID:4688
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        93⤵
        
        PID:4128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8DF9.tmp.bat""
        92⤵
        
        PID:1948
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        93⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        93⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        91⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        92⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        92⤵
        
        PID:4500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        93⤵
        
        PID:408
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        94⤵
        
        PID:1944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9694.tmp.bat""
        93⤵
        
        PID:3336
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        94⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        94⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        92⤵
        Checks computer location settings
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        93⤵
        
        PID:4432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        94⤵
        
        PID:2628
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        95⤵
        
        PID:4776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9FFA.tmp.bat""
        94⤵
        
        PID:2976
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        95⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        95⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        93⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        94⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        94⤵
        
        PID:5044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        95⤵
        
        PID:5080
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        96⤵
        
        PID:4604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA932.tmp.bat""
        95⤵
        
        PID:3788
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        96⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        96⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        94⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        95⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        95⤵
        
        PID:4064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        96⤵
        
        PID:2152
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        97⤵
        
        PID:4884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB1FC.tmp.bat""
        96⤵
        
        PID:2308
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        97⤵
        Delays execution with timeout.exe
        
        PID:3128
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        97⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        95⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        96⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        96⤵
        
        PID:1196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        97⤵
        
        PID:3200
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        98⤵
        
        PID:3840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBBA0.tmp.bat""
        97⤵
        
        PID:1072
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        98⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        98⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        96⤵
        Checks computer location settings
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        97⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        97⤵
        
        PID:4960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        98⤵
        
        PID:2536
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        99⤵
        
        PID:3448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC536.tmp.bat""
        98⤵
        
        PID:4516
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        99⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        97⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        98⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        98⤵
        
        PID:4804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        99⤵
        
        PID:3360
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        100⤵
        
        PID:1136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCE0F.tmp.bat""
        99⤵
        
        PID:4772
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        100⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        100⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        98⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        99⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        99⤵
        
        PID:1652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        100⤵
        
        PID:3104
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        101⤵
        
        PID:5108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD766.tmp.bat""
        100⤵
        
        PID:3900
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        101⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        99⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        100⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        100⤵
        
        PID:916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        101⤵
        
        PID:396
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        102⤵
        
        PID:1092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE168.tmp.bat""
        101⤵
        
        PID:4580
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        102⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        102⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        100⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        101⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        101⤵
        
        PID:3676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        102⤵
        
        PID:3088
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        103⤵
        
        PID:476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEA90.tmp.bat""
        102⤵
        
        PID:1632
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        103⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        103⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        101⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        102⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        102⤵
        
        PID:3884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        103⤵
        
        PID:2088
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        104⤵
        
        PID:1404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF3D7.tmp.bat""
        103⤵
        
        PID:4564
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        104⤵
        Delays execution with timeout.exe
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        102⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        103⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        103⤵
        
        PID:2428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        104⤵
        
        PID:4892
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        105⤵
        
        PID:904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFCFF.tmp.bat""
        104⤵
        
        PID:4592
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        105⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        105⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        103⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        104⤵
        
        PID:3056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        105⤵
        
        PID:192
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        106⤵
        
        PID:3780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp694.tmp.bat""
        105⤵
        
        PID:2588
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        106⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        106⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        104⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        105⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        105⤵
        
        PID:1648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        106⤵
        
        PID:3276
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        107⤵
        
        PID:3624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF7D.tmp.bat""
        106⤵
        
        PID:2860
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        107⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        105⤵
        Checks computer location settings
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        106⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        106⤵
        
        PID:1088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        107⤵
        
        PID:5044
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        108⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp18A5.tmp.bat""
        107⤵
        
        PID:2356
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        108⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        108⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        106⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        107⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        107⤵
        
        PID:476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        108⤵
        
        PID:656
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        109⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp21FC.tmp.bat""
        108⤵
        
        PID:1464
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        109⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        109⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        107⤵
        Checks computer location settings
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        108⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        108⤵
        
        PID:4860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        109⤵
        
        PID:2700
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        110⤵
        
        PID:3036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2AF4.tmp.bat""
        109⤵
        
        PID:1148
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        110⤵
        Delays execution with timeout.exe
        
        PID:4912
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        110⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        108⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        109⤵
        
        PID:2404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        110⤵
        
        PID:2184
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        111⤵
        
        PID:680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp340D.tmp.bat""
        110⤵
        
        PID:1064
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        111⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        111⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        109⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        110⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        110⤵
        
        PID:3360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        111⤵
        
        PID:4900
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        112⤵
        
        PID:2216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3CE6.tmp.bat""
        111⤵
        
        PID:4392
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        112⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        112⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        110⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        111⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        111⤵
        
        PID:4980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        112⤵
        
        PID:4308
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        113⤵
        
        PID:1544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp45B0.tmp.bat""
        112⤵
        
        PID:3544
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        113⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        113⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        111⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        112⤵
        
        PID:1728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        113⤵
        
        PID:1088
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        114⤵
        
        PID:2064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4EB9.tmp.bat""
        113⤵
        
        PID:4464
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        114⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        114⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        112⤵
        Checks computer location settings
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        113⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        113⤵
        
        PID:1800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        114⤵
        
        PID:3412
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        115⤵
        
        PID:1312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp581F.tmp.bat""
        114⤵
        
        PID:2308
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        115⤵
        Delays execution with timeout.exe
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        115⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        113⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        114⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        114⤵
        
        PID:1504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        115⤵
        
        PID:2608
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        116⤵
        
        PID:680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6118.tmp.bat""
        115⤵
        
        PID:2932
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        116⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        116⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        114⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        115⤵
        
        PID:360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        116⤵
        
        PID:5028
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        117⤵
        
        PID:2112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6A30.tmp.bat""
        116⤵
        
        PID:4540
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        117⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        117⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        115⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        116⤵
        
        PID:4516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        117⤵
        
        PID:1776
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        118⤵
        
        PID:3424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7387.tmp.bat""
        117⤵
        
        PID:4980
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        118⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        118⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        116⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        117⤵
        
        PID:5080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        118⤵
        
        PID:4128
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        119⤵
        
        PID:1032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7CCE.tmp.bat""
        118⤵
        
        PID:1728
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        119⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        117⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        118⤵
        
        PID:1100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        119⤵
        
        PID:2356
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        120⤵
        
        PID:4336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp85B7.tmp.bat""
        119⤵
        
        PID:476
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        120⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        120⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        118⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        119⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        119⤵
        Checks computer location settings
        
        PID:4752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        120⤵
        
        PID:2428
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        121⤵
        
        PID:1520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8F4C.tmp.bat""
        120⤵
        
        PID:1464
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        121⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        121⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        119⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        120⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        120⤵
        
        PID:1144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        121⤵
        
        PID:3176
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        122⤵
        
        PID:2036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9835.tmp.bat""
        121⤵
        
        PID:2824
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        122⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        122⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        120⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        121⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        121⤵
        
        PID:1480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        122⤵
        
        PID:4604
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        123⤵
        
        PID:3424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA15D.tmp.bat""
        122⤵
        
        PID:540
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        123⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        123⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        121⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        122⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        122⤵
        
        PID:4916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        123⤵
        
        PID:396
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        124⤵
        
        PID:1032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAA75.tmp.bat""
        123⤵
        
        PID:4128
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        124⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        124⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        122⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        123⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        123⤵
        
        PID:1112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        124⤵
        
        PID:1584
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        125⤵
        
        PID:2176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB34F.tmp.bat""
        124⤵
        
        PID:1440
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        125⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        123⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        124⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        124⤵
        
        PID:4996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        125⤵
        
        PID:1624
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        126⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBC76.tmp.bat""
        125⤵
        
        PID:3816
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        126⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        126⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        124⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        125⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        125⤵
        
        PID:1188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        126⤵
        
        PID:3156
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        127⤵
        
        PID:4704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC5CD.tmp.bat""
        126⤵
        
        PID:568
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        127⤵
        Delays execution with timeout.exe
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        127⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        125⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        126⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        126⤵
        
        PID:3764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        127⤵
        
        PID:2192
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        128⤵
        
        PID:2660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCEC6.tmp.bat""
        127⤵
        
        PID:5064
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        128⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        126⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        127⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        127⤵
        
        PID:2160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        128⤵
        
        PID:2676
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        129⤵
        
        PID:188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD80D.tmp.bat""
        128⤵
        
        PID:3356
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        129⤵
        Delays execution with timeout.exe
        
        PID:2744
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        129⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        127⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        128⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        128⤵
        
        PID:4348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        129⤵
        
        PID:5088
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        130⤵
        
        PID:4336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE144.tmp.bat""
        129⤵
        
        PID:852
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        130⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        130⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        128⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        129⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        129⤵
        Checks computer location settings
        
        PID:4728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        130⤵
        
        PID:4836
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        131⤵
        
        PID:4580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE9FF.tmp.bat""
        130⤵
        
        PID:4752
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        131⤵
        Delays execution with timeout.exe
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        129⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        130⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        130⤵
        
        PID:4192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
        131⤵
        
        PID:2728
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        132⤵
        
        PID:2088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF355.tmp.bat""
        131⤵
        
        PID:3980
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        132⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        130⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\Done.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Done.exe"
        131⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\Load.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Load.exe"
        131⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        131⤵
        
        PID:668

C:\Users\Admin\AppData\Local\ACCApi\apihost.exe
"C:\Users\Admin\AppData\Local\ACCApi\apihost.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Load.exe.log

Filesize
1KB

MD5
b08c36ce99a5ed11891ef6fc6d8647e9

SHA1
db95af417857221948eb1882e60f98ab2914bf1d

SHA256
cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674

SHA512
07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Done.exe.log

Filesize
410B

MD5
e5f7f742c8556fb04438af7cc96ac384

SHA1
aacf3dc921970079e9e2dee47123474b5a486242

SHA256
532f056ecc417d837c28f58d14c5b44c9edb39087b7f42e6b63938cc9d0ca149

SHA512
192e1088220007d3b4ad2a42ed3ff64f87b0714c8d9203567545287fa845a98da05b9015cd3f8a34430e910f72d61d7681f36beb3719792e3c5bc94e9fe68990

Download Submit
C:\Users\Admin\AppData\Local\Temp\Done.exe

Filesize
69KB

MD5
2453fa8ef7ccc79cada8679f06f2be53

SHA1
b3db41bc85d300a069e6636b5c9e7dcf0a6a95b2

SHA256
e0e329ca03adcd56c5ff4a5cbdaff475a1cf636dfce64b7da1a05f5c74daac88

SHA512
a28398843232745153b3f57d2166aca95e9f930a8334c0ffdb2db192fc8cc8b2d5f5a0a0d123a996f2aa738668209a3541ffb9ed6f42f665aefb9300cd3d45d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Load.exe

Filesize
74KB

MD5
4fc5086bcb8939429aea99f7322e619b

SHA1
8d3bd7d005710a8ae0bd0143d18b437be20018d7

SHA256
e31d6dc4d6f89573321f389c5b3f12838545ff8d2f1380cfba1782d39853e9fd

SHA512
04e230f5b39356aecf4732ac9a2f4fea96e51018907e2f22c7e3f22e51188b64cdb3e202fe324f5e3500761fae43f898bf9489aa8faa34eff3566e1119a786d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ltm4vtp.s4w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6C08.tmp.bat

Filesize
148B

MD5
682bd51506945d5d56f0d5ffa9b88bb1

SHA1
e4367d67c834a1043524c9edd4fc25557bba195d

SHA256
78e6cc0465e75ab30a1bc0b3e92bce7644e51dafddabde543a88920d0c21db5a

SHA512
c34b238784092c93a0365c3ae7c1f3ce438ec8f07e5df5a7bf5492842044a4b848c5f7dd78847bb78b1658dccc8f67f80e61d5285e721d9af022f3e7bc03a881

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7966.tmp.bat

Filesize
148B

MD5
617356efa36bb4f99340773638e29eeb

SHA1
ebc0f7000a02314ce8038decc9866a8effbf984e

SHA256
48890f37801b3179e2c4ad1948ae6d71c116fcc21a634378b2b17b798d8a5a54

SHA512
0b1a9cce1f7de3a03ee7254a3f85224ecce4b867bd504b08618f56eee517588a01b85109f77734e621040876ff8acaab12efbf032b8c781e145cd6f442ff3fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp81D2.tmp.bat

Filesize
148B

MD5
5ec8a347422ded43223f1738bb75fe69

SHA1
78b7c9732e2cbfcae9dc02bcadd280bc84cd1e1b

SHA256
82e122aaf4c238b2d45e27b6a9b6b456e0d4190220315b1d554eb05bdecc57bc

SHA512
1637537f1966b72774d4da5d9f5fbc0a9136a361756ea66fd62862b1197f55038eb0fe834d5f564a43d6473077fb5a22231b82ffce4c604809339631a56ecc34

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8D4C.tmp.bat

Filesize
148B

MD5
285fe3f31950523f348d5d99086aebc4

SHA1
e7bdd251fe2f105ea0f6ee7c95a00b0935dec585

SHA256
bff8b94aab3eb0ce710c051b4fa07bb5636a164958b6fe95274dbc7d57258010

SHA512
f02379f39c2308a2a20963676de720c8da0beb78fd91d0d22564d1a5a196048957f4e0ab56ed049a99373aa89d868feed66e3f7972b683837f391a36717cab5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9376.tmp.bat

Filesize
148B

MD5
c153990e3a6da8979eba0360f9ba9647

SHA1
794abca54b3c39ff6151fd18b0b2c10ea3be544f

SHA256
55adf3850e4107a364aaffbf09682588871723fb454623cf2ceec745821aac31

SHA512
dfc1af7e38df7330be84808a1fc6137dabbdb36da1b69241dc6e0ba918e331e3c7f851a804db9fe7249e8036b30ea0e4577fa5c6efdfc436564a569a07d8a571

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C7E.tmp.bat

Filesize
148B

MD5
01211982cd3c7b5c001e2b2d7293c103

SHA1
4ba1becf9bc1d08f22febb93fcee0e0dd47336ed

SHA256
e54c1e052ad8a918f5f29c6ae8bb1259fc2245efda9d1240ac50a9b40cc66c31

SHA512
0a5fc1fd1c6e50b5ba0ea0087499f52911560837f0cdbf5f0c8c2b5d36ddeb14c6941d78d57a0920da2c646b2c67925aac62e5c444b8368fb7c4ec8d2bcaeb70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA596.tmp.bat

Filesize
148B

MD5
49857c4e428b686d83844bd2bac37859

SHA1
3cdf249473d38e4c7d65e45da7e13f53d25fb536

SHA256
09feb2e83a28050baecf8b71d1c55fda285597e257c42a73e019a7158b322d2d

SHA512
47e704a9e1eed0789b860ba6da8c3ce7356248faef50e487258a594b85c7d002a407ef8acac06e7a615f879886b89c96e8c01f33bbc45965e5ee64ef5e1584bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAE70.tmp.bat

Filesize
148B

MD5
7d661fee0a1a921ccbbc36b74223cf88

SHA1
378b4fdce890e3f86878b35525dbeb746f5c5366

SHA256
58349f75be9ef37aad690d5a6c2ec7c91e6bdcdd4cb8f40f354b61934ecd722f

SHA512
41958a1fbf3e4082c9ade64ec2026b96bef2ab7dcb0e6f7ffb0d6471b9b43e276074ce15e8204abf38308680e963d5405d9730475d7e73f6b0c677c844ebdc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB72A.tmp.bat

Filesize
148B

MD5
758c68f7cdb00ea974871b6d788c81bd

SHA1
e3eac8c4a7af71bcae2ec358d2dd1075bf151ff4

SHA256
a27ad238badac3a2aa2dd8e9d553d2fc943cbb6ca0ca79df77fb4b4f3b1efd67

SHA512
93ab532063c6cabdb7593478be39fc29580bdb7be573b93718200fcb5c5e2063808ceca8498af8d9231b26dea3a8d53d171085009f98a59e08d0a789234876b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC043.tmp.bat

Filesize
148B

MD5
3661f1ab1ceff87d4801fce9b4eb3c74

SHA1
e99f6f62ee89378e9315ae4208a612225e108c69

SHA256
4cb48a37eedac1a1c85742670bd8c50d236349f762c66e7bd27a3aa0bc2a2ed1

SHA512
70862b348723ff4f290b48c79d2c588e4d7c81128023b35db23a5cda34343e4a652cd936c7802a98c7668409a9a02ad5a41407810b821bef817289f67c0f9235

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC93B.tmp.bat

Filesize
148B

MD5
f7fe3148e94d3aeb8f2f1cffb57b2c71

SHA1
54c5b1bf5fc94b9c1579921fcb3d31176420421e

SHA256
b5676373c424ed7cf5cb631f49738333aad050a3389897c7009dc2558201f14c

SHA512
9cba7e22981d17b21c5de7ebdda2b51f8dd0355c12c5472771cad80dcc098886dbf5da111c690d8c48a4771e960ceb44afbae23dbbec1fd4123ba1999ce09752

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD234.tmp.bat

Filesize
148B

MD5
41e8d3c5df77ff26bf316cff703d5e88

SHA1
26a2eb989c9c105e59e9a84e334960e6c8395378

SHA256
c54fb3de86006171ef13ddebff0e472adca3daadc6882f7b441a7aa24c746261

SHA512
041b6749421e4c79a1af8fae956c492ee588af7ba1043ebea0c9147d0ab9079163b4de5f236b219413058f21e1b5a4d44156433282af8607aec5fa9a9bcbcfb4

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/1524-35-0x00007FFD2D720000-0x00007FFD2E1E2000-memory.dmp

Filesize
10.8MB

Download
memory/1524-13-0x00007FFD2D720000-0x00007FFD2E1E2000-memory.dmp

Filesize
10.8MB

Download
memory/1524-1-0x0000000000280000-0x00000000004A4000-memory.dmp

Filesize
2.1MB

Download
memory/1524-0-0x00007FFD2D723000-0x00007FFD2D725000-memory.dmp

Filesize
8KB

Download
memory/1860-100-0x0000000005DE0000-0x0000000005DEA000-memory.dmp

Filesize
40KB

Download
memory/2216-101-0x0000000007750000-0x000000000775A000-memory.dmp

Filesize
40KB

Download
memory/2216-71-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/2216-84-0x0000000007570000-0x00000000075A2000-memory.dmp

Filesize
200KB

Download
memory/2216-85-0x0000000072BB0000-0x0000000072BFC000-memory.dmp

Filesize
304KB

Download
memory/2216-95-0x00000000069A0000-0x00000000069BE000-memory.dmp

Filesize
120KB

Download
memory/2216-96-0x00000000075C0000-0x0000000007663000-memory.dmp

Filesize
652KB

Download
memory/2216-98-0x0000000007D30000-0x00000000083AA000-memory.dmp

Filesize
6.5MB

Download
memory/2216-99-0x00000000076F0000-0x000000000770A000-memory.dmp

Filesize
104KB

Download
memory/2216-82-0x0000000006390000-0x00000000063AE000-memory.dmp

Filesize
120KB

Download
memory/2216-81-0x0000000005DA0000-0x00000000060F7000-memory.dmp

Filesize
3.3MB

Download
memory/2216-105-0x0000000007960000-0x00000000079F6000-memory.dmp

Filesize
600KB

Download
memory/2216-83-0x0000000006430000-0x000000000647C000-memory.dmp

Filesize
304KB

Download
memory/2216-70-0x0000000005CC0000-0x0000000005D26000-memory.dmp

Filesize
408KB

Download
memory/2216-67-0x00000000053D0000-0x00000000053F2000-memory.dmp

Filesize
136KB

Download
memory/2216-66-0x00000000055F0000-0x0000000005CBA000-memory.dmp

Filesize
6.8MB

Download
memory/2216-64-0x00000000029E0000-0x0000000002A16000-memory.dmp

Filesize
216KB

Download
memory/4128-39-0x0000000004FB0000-0x0000000005042000-memory.dmp

Filesize
584KB

Download
memory/4128-38-0x0000000005560000-0x0000000005B06000-memory.dmp

Filesize
5.6MB

Download
memory/4128-36-0x0000000000670000-0x0000000000688000-memory.dmp

Filesize
96KB

Download
memory/4664-45-0x00007FFD2D720000-0x00007FFD2E1E2000-memory.dmp

Filesize
10.8MB

Download
memory/4664-37-0x00007FFD2D720000-0x00007FFD2E1E2000-memory.dmp

Filesize
10.8MB

Download
memory/4664-34-0x00007FFD2D720000-0x00007FFD2E1E2000-memory.dmp

Filesize
10.8MB

Download
memory/4664-31-0x0000000000600000-0x0000000000618000-memory.dmp

Filesize
96KB

Download