toxiceye | 9d6024dfb9f60054eb1316eb33bf8cbc5c802d9e477a9603db5e1ed585e556f8

Analysis

max time kernel
2s
max time network
22s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
16-08-2024 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV1.16.exe
Size

381KB
MD5

12d943d0d655d4d54b91d175c3e46e02
SHA1

9b115a4874f3da04e29315e09e50a2d61b826de8
SHA256

9d6024dfb9f60054eb1316eb33bf8cbc5c802d9e477a9603db5e1ed585e556f8
SHA512

1746222789c3f480f9364f3dd654f41be5ed3d520a58f5cd69e0cd08a8d59b81a796c6ac3e6603db493f3d5a48bc748280e19cfd48f4925f7fc38b16b9e38640
SSDEEP

6144:mSncRleSncRlFSncRl0snwou0bUrCsnwou0bUr:r4p4O4Dnwou5vnwou5

Score

10^/10

toxiceye discovery rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot7302074945:AAGKx5TnjPyRM_fqN4XQLd4uz-PUp4nl8w4/sendMessage?chat_id=6414125020

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Executes dropped EXE 34 IoCs

Processes:

STUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXE

pid	process
2692	STUB DO NOT RUN THISS.EXE
2736	STUB DO NOT RUN THISS.EXE
2752	STUB DO NOT RUN THISS.EXE
2864	STUB DO NOT RUN THISS.EXE
2656	STUB DO NOT RUN THISS.EXE
2780	STUB DO NOT RUN THISS.EXE
904	STUB DO NOT RUN THISS.EXE
2496	STUB DO NOT RUN THISS.EXE
1940	STUB DO NOT RUN THISS.EXE
2520	STUB DO NOT RUN THISS.EXE
2932	STUB DO NOT RUN THISS.EXE
1988	STUB DO NOT RUN THISS.EXE
2356	STUB DO NOT RUN THISS.EXE
1160	STUB DO NOT RUN THISS.EXE
2992	STUB DO NOT RUN THISS.EXE
3000	STUB DO NOT RUN THISS.EXE
1004	STUB DO NOT RUN THISS.EXE
2372	STUB DO NOT RUN THISS.EXE
1284	STUB DO NOT RUN THISS.EXE
2132	STUB DO NOT RUN THISS.EXE
2260	STUB DO NOT RUN THISS.EXE
2304	STUB DO NOT RUN THISS.EXE
2748	STUB DO NOT RUN THISS.EXE
2068	STUB DO NOT RUN THISS.EXE
2084	STUB DO NOT RUN THISS.EXE
1752	STUB DO NOT RUN THISS.EXE
2256	STUB DO NOT RUN THISS.EXE
2340	STUB DO NOT RUN THISS.EXE
264	STUB DO NOT RUN THISS.EXE
2684	STUB DO NOT RUN THISS.EXE
2796	STUB DO NOT RUN THISS.EXE
828	STUB DO NOT RUN THISS.EXE
2660	STUB DO NOT RUN THISS.EXE
2536	STUB DO NOT RUN THISS.EXE

Loads dropped DLL 34 IoCs

Processes:

BootstrapperV1.16.exeBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXE

pid	process
2360	BootstrapperV1.16.exe
2540	BOOTSTRAPPERV1.16.EXE
2304	BOOTSTRAPPERV1.16.EXE
2984	BOOTSTRAPPERV1.16.EXE
2876	BOOTSTRAPPERV1.16.EXE
2840	BOOTSTRAPPERV1.16.EXE
2684	BOOTSTRAPPERV1.16.EXE
1712	BOOTSTRAPPERV1.16.EXE
2648	BOOTSTRAPPERV1.16.EXE
2680	BOOTSTRAPPERV1.16.EXE
1576	BOOTSTRAPPERV1.16.EXE
1924	BOOTSTRAPPERV1.16.EXE
1056	BOOTSTRAPPERV1.16.EXE
2388	BOOTSTRAPPERV1.16.EXE
1040	BOOTSTRAPPERV1.16.EXE
2196	BOOTSTRAPPERV1.16.EXE
236	BOOTSTRAPPERV1.16.EXE
1908	BOOTSTRAPPERV1.16.EXE
592	BOOTSTRAPPERV1.16.EXE
2344	BOOTSTRAPPERV1.16.EXE
1776	BOOTSTRAPPERV1.16.EXE
2360	BOOTSTRAPPERV1.16.EXE
2860	BOOTSTRAPPERV1.16.EXE
1204	BOOTSTRAPPERV1.16.EXE
2792	BOOTSTRAPPERV1.16.EXE
2692	BOOTSTRAPPERV1.16.EXE
828	BOOTSTRAPPERV1.16.EXE
2272	BOOTSTRAPPERV1.16.EXE
2396	BOOTSTRAPPERV1.16.EXE
1240	BOOTSTRAPPERV1.16.EXE
2676	BOOTSTRAPPERV1.16.EXE
1204	BOOTSTRAPPERV1.16.EXE
2680	BOOTSTRAPPERV1.16.EXE
320	BOOTSTRAPPERV1.16.EXE

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
2876	tasklist.exe
2280	tasklist.exe
4800	tasklist.exe
5632	tasklist.exe
4060	tasklist.exe
4552	tasklist.exe
3592	tasklist.exe
7000	tasklist.exe
4784	tasklist.exe
2912	tasklist.exe
1568	tasklist.exe
3228	tasklist.exe
4456	tasklist.exe
4952	tasklist.exe
4976	tasklist.exe
6880	tasklist.exe
3044	tasklist.exe
4016	tasklist.exe
4028	tasklist.exe
6108	tasklist.exe
3252	tasklist.exe
2688	tasklist.exe
1340	tasklist.exe
2604	tasklist.exe
6212	tasklist.exe
7508	tasklist.exe
7876	tasklist.exe
3588	tasklist.exe
3996	tasklist.exe
2524	tasklist.exe
5568	tasklist.exe
8064	tasklist.exe
4072	tasklist.exe
3824	tasklist.exe
2892	tasklist.exe
8116	tasklist.exe
6664	tasklist.exe
3356	tasklist.exe
6220	tasklist.exe
6448	tasklist.exe
5252	tasklist.exe
7800	tasklist.exe
4620	tasklist.exe
3300	tasklist.exe
2996	tasklist.exe
4080	tasklist.exe
3392	tasklist.exe
2616	tasklist.exe
4852	tasklist.exe
5012	tasklist.exe
7760	tasklist.exe
4016	tasklist.exe
4228	tasklist.exe
5712	tasklist.exe
7460	tasklist.exe
7160	tasklist.exe
892	tasklist.exe
4996	tasklist.exe
1296	tasklist.exe
7288	tasklist.exe
3632	tasklist.exe
3688	tasklist.exe
2240	tasklist.exe
7020	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV1.16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
5932	timeout.exe
7644	timeout.exe
6860	timeout.exe
7844	timeout.exe
4812	timeout.exe
3224	timeout.exe
2588	timeout.exe
4164	timeout.exe
2884	timeout.exe
3836	timeout.exe
4640	timeout.exe
3424	timeout.exe
5076	timeout.exe
4888	timeout.exe
4580	timeout.exe
336	timeout.exe
3744	timeout.exe
584	timeout.exe
4280	timeout.exe
2200	timeout.exe
4336	timeout.exe
6656	timeout.exe
6748	timeout.exe
4820	timeout.exe
4832	timeout.exe
2692	timeout.exe
3356	timeout.exe
5412	timeout.exe
6616	timeout.exe
6304	timeout.exe
5900	timeout.exe
3416	timeout.exe
2632	timeout.exe
3364	timeout.exe
4060	timeout.exe
5692	timeout.exe
5476	timeout.exe
3932	timeout.exe
3520	timeout.exe
5712	timeout.exe
5692	timeout.exe
2648	timeout.exe
3488	timeout.exe
1736	timeout.exe
4016	timeout.exe
912	timeout.exe
6576	timeout.exe
7108	timeout.exe
6088	timeout.exe
1824	timeout.exe
1700	timeout.exe
3896	timeout.exe
6140	timeout.exe
2680	timeout.exe
4752	timeout.exe
6068	timeout.exe
2536	timeout.exe
5360	timeout.exe
4544	timeout.exe
4628	timeout.exe
5896	timeout.exe
4712	timeout.exe
3828	timeout.exe
4632	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3000	schtasks.exe
2304	schtasks.exe
5588	schtasks.exe
4636	schtasks.exe
4600	schtasks.exe
3556	schtasks.exe
4708	schtasks.exe
4912	schtasks.exe
3276	schtasks.exe
7860	schtasks.exe
2056	schtasks.exe
4540	schtasks.exe
4524	schtasks.exe
2300	schtasks.exe
6592	schtasks.exe
5184	schtasks.exe
4700	schtasks.exe
1988	schtasks.exe
3364	schtasks.exe
5212	schtasks.exe
1584	schtasks.exe
5436	schtasks.exe
2632	schtasks.exe
7660	schtasks.exe
3624	schtasks.exe
3172	schtasks.exe
3556	schtasks.exe
2848	schtasks.exe
3948	schtasks.exe
4088	schtasks.exe
7352	schtasks.exe
3084	schtasks.exe
1572	schtasks.exe
5236	schtasks.exe
2112	schtasks.exe
5556	schtasks.exe
5948	schtasks.exe
5984	schtasks.exe
4052	schtasks.exe
5272	schtasks.exe
4832	schtasks.exe
3108	schtasks.exe
4080	schtasks.exe
3188	schtasks.exe
7424	schtasks.exe
2256	schtasks.exe
5256	schtasks.exe
3300	schtasks.exe
7236	schtasks.exe
3164	schtasks.exe
3492	schtasks.exe
7128	schtasks.exe
4752	schtasks.exe
2640	schtasks.exe
800	schtasks.exe
4784	schtasks.exe
2588	schtasks.exe
7224	schtasks.exe
7292	schtasks.exe
4304	schtasks.exe
2404	schtasks.exe
3280	schtasks.exe
876	schtasks.exe
3340	schtasks.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

STUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXEtasklist.exeSTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXE

description	pid	process
Token: SeDebugPrivilege	2752	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	2656	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	2780	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	904	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	2496	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	1940	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	2520	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	2932	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	1988	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	2356	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	1160	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	2992	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	3000	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	1004	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	2372	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	1284	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	2132	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	2260	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	2304	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	2748	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	2068	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	2084	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	1752	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	2256	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	2340	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	264	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	716	tasklist.exe
Token: SeDebugPrivilege	2796	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	2684	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	2660	STUB DO NOT RUN THISS.EXE
Token: SeDebugPrivilege	828	STUB DO NOT RUN THISS.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BootstrapperV1.16.exeBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXE

description	pid	process	target process
PID 2360 wrote to memory of 2540	2360	BootstrapperV1.16.exe	BOOTSTRAPPERV1.16.EXE
PID 2360 wrote to memory of 2540	2360	BootstrapperV1.16.exe	BOOTSTRAPPERV1.16.EXE
PID 2360 wrote to memory of 2540	2360	BootstrapperV1.16.exe	BOOTSTRAPPERV1.16.EXE
PID 2360 wrote to memory of 2540	2360	BootstrapperV1.16.exe	BOOTSTRAPPERV1.16.EXE
PID 2360 wrote to memory of 2692	2360	BootstrapperV1.16.exe	BOOTSTRAPPERV1.16.EXE
PID 2360 wrote to memory of 2692	2360	BootstrapperV1.16.exe	BOOTSTRAPPERV1.16.EXE
PID 2360 wrote to memory of 2692	2360	BootstrapperV1.16.exe	BOOTSTRAPPERV1.16.EXE
PID 2360 wrote to memory of 2692	2360	BootstrapperV1.16.exe	BOOTSTRAPPERV1.16.EXE
PID 2540 wrote to memory of 2304	2540	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2540 wrote to memory of 2304	2540	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2540 wrote to memory of 2304	2540	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2540 wrote to memory of 2304	2540	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2540 wrote to memory of 2736	2540	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2540 wrote to memory of 2736	2540	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2540 wrote to memory of 2736	2540	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2540 wrote to memory of 2736	2540	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2304 wrote to memory of 2984	2304	BOOTSTRAPPERV1.16.EXE	BOOTSTRAPPERV1.16.EXE
PID 2304 wrote to memory of 2984	2304	BOOTSTRAPPERV1.16.EXE	BOOTSTRAPPERV1.16.EXE
PID 2304 wrote to memory of 2984	2304	BOOTSTRAPPERV1.16.EXE	BOOTSTRAPPERV1.16.EXE
PID 2304 wrote to memory of 2984	2304	BOOTSTRAPPERV1.16.EXE	BOOTSTRAPPERV1.16.EXE
PID 2304 wrote to memory of 2752	2304	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2304 wrote to memory of 2752	2304	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2304 wrote to memory of 2752	2304	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2304 wrote to memory of 2752	2304	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2984 wrote to memory of 2876	2984	BOOTSTRAPPERV1.16.EXE	tasklist.exe
PID 2984 wrote to memory of 2876	2984	BOOTSTRAPPERV1.16.EXE	tasklist.exe
PID 2984 wrote to memory of 2876	2984	BOOTSTRAPPERV1.16.EXE	tasklist.exe
PID 2984 wrote to memory of 2876	2984	BOOTSTRAPPERV1.16.EXE	tasklist.exe
PID 2984 wrote to memory of 2864	2984	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2984 wrote to memory of 2864	2984	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2984 wrote to memory of 2864	2984	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2984 wrote to memory of 2864	2984	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2876 wrote to memory of 2840	2876	BOOTSTRAPPERV1.16.EXE	BOOTSTRAPPERV1.16.EXE
PID 2876 wrote to memory of 2840	2876	BOOTSTRAPPERV1.16.EXE	BOOTSTRAPPERV1.16.EXE
PID 2876 wrote to memory of 2840	2876	BOOTSTRAPPERV1.16.EXE	BOOTSTRAPPERV1.16.EXE
PID 2876 wrote to memory of 2840	2876	BOOTSTRAPPERV1.16.EXE	BOOTSTRAPPERV1.16.EXE
PID 2876 wrote to memory of 2656	2876	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2876 wrote to memory of 2656	2876	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2876 wrote to memory of 2656	2876	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2876 wrote to memory of 2656	2876	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2840 wrote to memory of 2684	2840	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2840 wrote to memory of 2684	2840	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2840 wrote to memory of 2684	2840	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2840 wrote to memory of 2684	2840	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2840 wrote to memory of 2780	2840	BOOTSTRAPPERV1.16.EXE	conhost.exe
PID 2840 wrote to memory of 2780	2840	BOOTSTRAPPERV1.16.EXE	conhost.exe
PID 2840 wrote to memory of 2780	2840	BOOTSTRAPPERV1.16.EXE	conhost.exe
PID 2840 wrote to memory of 2780	2840	BOOTSTRAPPERV1.16.EXE	conhost.exe
PID 2684 wrote to memory of 1712	2684	BOOTSTRAPPERV1.16.EXE	BOOTSTRAPPERV1.16.EXE
PID 2684 wrote to memory of 1712	2684	BOOTSTRAPPERV1.16.EXE	BOOTSTRAPPERV1.16.EXE
PID 2684 wrote to memory of 1712	2684	BOOTSTRAPPERV1.16.EXE	BOOTSTRAPPERV1.16.EXE
PID 2684 wrote to memory of 1712	2684	BOOTSTRAPPERV1.16.EXE	BOOTSTRAPPERV1.16.EXE
PID 2684 wrote to memory of 904	2684	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2684 wrote to memory of 904	2684	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2684 wrote to memory of 904	2684	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 2684 wrote to memory of 904	2684	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 1712 wrote to memory of 2648	1712	BOOTSTRAPPERV1.16.EXE	timeout.exe
PID 1712 wrote to memory of 2648	1712	BOOTSTRAPPERV1.16.EXE	timeout.exe
PID 1712 wrote to memory of 2648	1712	BOOTSTRAPPERV1.16.EXE	timeout.exe
PID 1712 wrote to memory of 2648	1712	BOOTSTRAPPERV1.16.EXE	timeout.exe
PID 1712 wrote to memory of 2496	1712	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 1712 wrote to memory of 2496	1712	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 1712 wrote to memory of 2496	1712	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 1712 wrote to memory of 2496	1712	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.16.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.16.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
  "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
    "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
      "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        11⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        13⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        15⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        17⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        19⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        21⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        23⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        25⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        27⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        29⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        31⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        33⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        37⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        38⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        39⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        40⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        41⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        42⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        43⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        44⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        45⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        46⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        47⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        48⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        49⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        50⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        51⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        52⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        53⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        54⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        55⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        56⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        57⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        58⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        59⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        60⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        61⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        62⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        63⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        64⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        65⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        66⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        67⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        68⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        69⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        70⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        71⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        72⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        73⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        74⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        75⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        76⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        77⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        78⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        79⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        80⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        81⤵
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        82⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        83⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        84⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        85⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        86⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        87⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        88⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        89⤵
        
        PID:6400
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        90⤵
        
        PID:7060
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        91⤵
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        92⤵
        
        PID:6388
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        93⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        94⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        95⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        96⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        97⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        98⤵
        
        PID:7248
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        99⤵
        
        PID:7748
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        100⤵
        
        PID:6428
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        101⤵
        
        PID:6452
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        102⤵
        
        PID:8188
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        103⤵
        
        PID:7524
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        102⤵
        
        PID:7368
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        101⤵
        
        PID:8040
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        100⤵
        
        PID:7028
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        99⤵
        
        PID:8120
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        98⤵
        
        PID:7632
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        97⤵
        
        PID:7128
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        96⤵
        
        PID:6748
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        95⤵
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        94⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        93⤵
        
        PID:5656
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        92⤵
        
        PID:7000
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        91⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        90⤵
        
        PID:6352
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        89⤵
        
        PID:6932
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        88⤵
        
        PID:6244
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        87⤵
        
        PID:5376
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        88⤵
        
        PID:6732
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        86⤵
        
        PID:4900
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        87⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        85⤵
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        84⤵
        
        PID:576
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        85⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        83⤵
        
        PID:3880
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        84⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7292
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        82⤵
        
        PID:6008
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        83⤵
        
        PID:6848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8C0A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp8C0A.tmp.bat
        83⤵
        
        PID:7188
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        81⤵
        
        PID:5448
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        82⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7224
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        80⤵
        
        PID:1700
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        81⤵
        
        PID:5352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8E7A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp8E7A.tmp.bat
        81⤵
        
        PID:7812
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        79⤵
        
        PID:1328
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        80⤵
        
        PID:6680
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        78⤵
        
        PID:3672
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        79⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7424
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        77⤵
        
        PID:2096
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        78⤵
        
        PID:4556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8CD5.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp8CD5.tmp.bat
        78⤵
        
        PID:7384
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        76⤵
        
        PID:4116
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        77⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp951E.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp951E.tmp.bat
        77⤵
        
        PID:7840
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        75⤵
        
        PID:4028
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        76⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8B2F.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp8B2F.tmp.bat
        76⤵
        
        PID:6172
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        74⤵
        
        PID:4188
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        75⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp94B1.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp94B1.tmp.bat
        75⤵
        
        PID:7804
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        73⤵
        
        PID:3948
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        74⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp80A5.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp80A5.tmp.bat
        74⤵
        
        PID:3088
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3948"
        75⤵
        Enumerates processes with tasklist
        
        PID:7508
        
        C:\Windows\system32\find.exe
        
        find ":"
        75⤵
        
        PID:7528
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        75⤵
        
        PID:7896
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3948"
        75⤵
        Enumerates processes with tasklist
        
        PID:7160
        
        C:\Windows\system32\find.exe
        
        find ":"
        75⤵
        
        PID:5268
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        75⤵
        
        PID:7944
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3948"
        75⤵
        Enumerates processes with tasklist
        
        PID:7288
        
        C:\Windows\system32\find.exe
        
        find ":"
        75⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        72⤵
        
        PID:2908
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        73⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8EC8.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp8EC8.tmp.bat
        73⤵
        
        PID:7928
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        71⤵
        
        PID:4864
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        72⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp81CD.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp81CD.tmp.bat
        72⤵
        
        PID:6976
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4864"
        73⤵
        Enumerates processes with tasklist
        
        PID:7800
        
        C:\Windows\system32\find.exe
        
        find ":"
        73⤵
        
        PID:7832
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        73⤵
        Delays execution with timeout.exe
        
        PID:5692
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        73⤵
        
        PID:7512
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        70⤵
        
        PID:3144
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        71⤵
        
        PID:3856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp844D.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp844D.tmp.bat
        71⤵
        
        PID:6140
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3144"
        72⤵
        Enumerates processes with tasklist
        
        PID:2892
        
        C:\Windows\system32\find.exe
        
        find ":"
        72⤵
        
        PID:4028
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        72⤵
        
        PID:4708
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3144"
        72⤵
        
        PID:4852
        
        C:\Windows\system32\find.exe
        
        find ":"
        72⤵
        
        PID:6216
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        69⤵
        
        PID:3184
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        70⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp82A7.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp82A7.tmp.bat
        70⤵
        
        PID:6916
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3184"
        71⤵
        Enumerates processes with tasklist
        
        PID:8064
        
        C:\Windows\system32\find.exe
        
        find ":"
        71⤵
        
        PID:8076
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        71⤵
        
        PID:4012
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        71⤵
        
        PID:7808
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        68⤵
        
        PID:2292
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        69⤵
        
        PID:684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp81EC.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp81EC.tmp.bat
        69⤵
        
        PID:5884
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2292"
        70⤵
        Enumerates processes with tasklist
        
        PID:7876
        
        C:\Windows\system32\find.exe
        
        find ":"
        70⤵
        
        PID:7888
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        70⤵
        
        PID:1928
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        70⤵
        
        PID:7716
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        67⤵
        
        PID:1668
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        68⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7A6D.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7A6D.tmp.bat
        68⤵
        
        PID:6328
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1668"
        69⤵
        
        PID:2360
        
        C:\Windows\system32\find.exe
        
        find ":"
        69⤵
        
        PID:2728
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        69⤵
        Delays execution with timeout.exe
        
        PID:5692
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        69⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        66⤵
        
        PID:4516
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        67⤵
        
        PID:3744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp848B.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp848B.tmp.bat
        67⤵
        
        PID:3052
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4516"
        68⤵
        
        PID:6200
        
        C:\Windows\system32\find.exe
        
        find ":"
        68⤵
        
        PID:7524
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        68⤵
        Delays execution with timeout.exe
        
        PID:3356
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        68⤵
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        65⤵
        
        PID:3380
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        66⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7F8C.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7F8C.tmp.bat
        66⤵
        
        PID:6216
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3380"
        67⤵
        
        PID:7180
        
        C:\Windows\system32\find.exe
        
        find ":"
        67⤵
        
        PID:7200
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        67⤵
        Delays execution with timeout.exe
        
        PID:7644
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        67⤵
        
        PID:6852
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        64⤵
        
        PID:2260
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        65⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp78D8.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp78D8.tmp.bat
        65⤵
        
        PID:4044
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2260"
        66⤵
        Enumerates processes with tasklist
        
        PID:3392
        
        C:\Windows\system32\find.exe
        
        find ":"
        66⤵
        
        PID:6504
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        66⤵
        
        PID:4680
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        66⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        63⤵
        
        PID:2528
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        64⤵
        
        PID:2012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7DB8.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7DB8.tmp.bat
        64⤵
        
        PID:2816
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2528"
        65⤵
        Enumerates processes with tasklist
        
        PID:1296
        
        C:\Windows\system32\find.exe
        
        find ":"
        65⤵
        
        PID:7020
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        65⤵
        
        PID:1492
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        65⤵
        
        PID:7964
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        62⤵
        
        PID:3220
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        63⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7C32.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7C32.tmp.bat
        63⤵
        
        PID:6852
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3220"
        64⤵
        Enumerates processes with tasklist
        
        PID:3632
        
        C:\Windows\system32\find.exe
        
        find ":"
        64⤵
        
        PID:3876
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        64⤵
        
        PID:2404
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        64⤵
        
        PID:6088
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        61⤵
        
        PID:4892
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        62⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp70BD.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp70BD.tmp.bat
        62⤵
        
        PID:6064
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4892"
        63⤵
        Enumerates processes with tasklist
        
        PID:6448
        
        C:\Windows\system32\find.exe
        
        find ":"
        63⤵
        
        PID:6484
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        63⤵
        
        PID:6976
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        63⤵
        
        PID:6484
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        60⤵
        
        PID:4112
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        61⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7002.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7002.tmp.bat
        61⤵
        
        PID:5860
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4112"
        62⤵
        
        PID:5256
        
        C:\Windows\system32\find.exe
        
        find ":"
        62⤵
        
        PID:4836
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        62⤵
        Delays execution with timeout.exe
        
        PID:6656
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        62⤵
        
        PID:504
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        59⤵
        
        PID:4592
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        60⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7021.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7021.tmp.bat
        60⤵
        
        PID:5908
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4592"
        61⤵
        
        PID:5436
        
        C:\Windows\system32\find.exe
        
        find ":"
        61⤵
        
        PID:2884
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        61⤵
        Delays execution with timeout.exe
        
        PID:6576
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        61⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        58⤵
        
        PID:912
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        59⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp733D.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp733D.tmp.bat
        59⤵
        
        PID:6052
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 912"
        60⤵
        Enumerates processes with tasklist
        
        PID:4852
        
        C:\Windows\system32\find.exe
        
        find ":"
        60⤵
        
        PID:5640
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        60⤵
        Delays execution with timeout.exe
        
        PID:336
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        60⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        57⤵
        
        PID:4044
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        58⤵
        
        PID:2408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6FE3.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp6FE3.tmp.bat
        58⤵
        
        PID:5844
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4044"
        59⤵
        
        PID:6200
        
        C:\Windows\system32\find.exe
        
        find ":"
        59⤵
        
        PID:6260
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        59⤵
        Delays execution with timeout.exe
        
        PID:6748
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4044"
        59⤵
        
        PID:4724
        
        C:\Windows\system32\find.exe
        
        find ":"
        59⤵
        
        PID:6916
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        59⤵
        
        PID:2100
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4044"
        59⤵
        Enumerates processes with tasklist
        
        PID:4784
        
        C:\Windows\system32\find.exe
        
        find ":"
        59⤵
        
        PID:3948
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        59⤵
        
        PID:3896
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4044"
        59⤵
        
        PID:6380
        
        C:\Windows\system32\find.exe
        
        find ":"
        59⤵
        
        PID:7544
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        59⤵
        Delays execution with timeout.exe
        
        PID:6860
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4044"
        59⤵
        Enumerates processes with tasklist
        
        PID:7760
        
        C:\Windows\system32\find.exe
        
        find ":"
        59⤵
        
        PID:6624
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        56⤵
        
        PID:1328
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        57⤵
        
        PID:2268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp69EA.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp69EA.tmp.bat
        57⤵
        
        PID:2772
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1328"
        58⤵
        Enumerates processes with tasklist
        
        PID:4080
        
        C:\Windows\system32\find.exe
        
        find ":"
        58⤵
        
        PID:2764
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        58⤵
        Delays execution with timeout.exe
        
        PID:4280
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1328"
        58⤵
        Enumerates processes with tasklist
        
        PID:4976
        
        C:\Windows\system32\find.exe
        
        find ":"
        58⤵
        
        PID:5724
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        58⤵
        
        PID:5896
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1328"
        58⤵
        
        PID:6620
        
        C:\Windows\system32\find.exe
        
        find ":"
        58⤵
        
        PID:6684
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        58⤵
        
        PID:7088
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1328"
        58⤵
        
        PID:4432
        
        C:\Windows\system32\find.exe
        
        find ":"
        58⤵
        
        PID:6688
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        58⤵
        Delays execution with timeout.exe
        
        PID:6068
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1328"
        58⤵
        Enumerates processes with tasklist
        
        PID:6108
        
        C:\Windows\system32\find.exe
        
        find ":"
        58⤵
        
        PID:5724
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        58⤵
        
        PID:7284
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1328"
        58⤵
        
        PID:6324
        
        C:\Windows\system32\find.exe
        
        find ":"
        58⤵
        
        PID:6796
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        58⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        55⤵
        
        PID:4944
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        56⤵
        
        PID:4176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6E1E.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp6E1E.tmp.bat
        56⤵
        
        PID:5248
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4944"
        57⤵
        Enumerates processes with tasklist
        
        PID:5632
        
        C:\Windows\system32\find.exe
        
        find ":"
        57⤵
        
        PID:5708
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        57⤵
        
        PID:6072
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        57⤵
        
        PID:4828
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        58⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7660
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        54⤵
        
        PID:4696
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        55⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp67E7.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp67E7.tmp.bat
        55⤵
        
        PID:4336
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4696"
        56⤵
        
        PID:4136
        
        C:\Windows\system32\find.exe
        
        find ":"
        56⤵
        
        PID:5024
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        56⤵
        Delays execution with timeout.exe
        
        PID:4832
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        56⤵
        
        PID:5944
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        57⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7236
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        53⤵
        
        PID:4420
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        54⤵
        
        PID:2632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6BFC.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp6BFC.tmp.bat
        54⤵
        
        PID:2924
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4420"
        55⤵
        Enumerates processes with tasklist
        
        PID:4060
        
        C:\Windows\system32\find.exe
        
        find ":"
        55⤵
        
        PID:5748
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        55⤵
        
        PID:5404
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        55⤵
        
        PID:6024
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        56⤵
        
        PID:8132
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        52⤵
        
        PID:4132
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6E3D.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp6E3D.tmp.bat
        53⤵
        
        PID:5328
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4132"
        54⤵
        Enumerates processes with tasklist
        
        PID:5568
        
        C:\Windows\system32\find.exe
        
        find ":"
        54⤵
        
        PID:2420
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        54⤵
        Delays execution with timeout.exe
        
        PID:912
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4132"
        54⤵
        
        PID:6604
        
        C:\Windows\system32\find.exe
        
        find ":"
        54⤵
        
        PID:6700
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        54⤵
        
        PID:7032
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4132"
        54⤵
        Enumerates processes with tasklist
        
        PID:6880
        
        C:\Windows\system32\find.exe
        
        find ":"
        54⤵
        
        PID:5712
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        54⤵
        Delays execution with timeout.exe
        
        PID:6304
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4132"
        54⤵
        Enumerates processes with tasklist
        
        PID:2912
        
        C:\Windows\system32\find.exe
        
        find ":"
        54⤵
        
        PID:1984
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        54⤵
        
        PID:6992
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        54⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        51⤵
        
        PID:1708
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        52⤵
        
        PID:2588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6355.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp6355.tmp.bat
        52⤵
        
        PID:3856
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1708"
        53⤵
        
        PID:4664
        
        C:\Windows\system32\find.exe
        
        find ":"
        53⤵
        
        PID:1820
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        53⤵
        Delays execution with timeout.exe
        
        PID:4060
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        53⤵
        
        PID:5772
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        54⤵
        
        PID:6496
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        50⤵
        
        PID:1268
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        51⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6A19.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp6A19.tmp.bat
        51⤵
        
        PID:776
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1268"
        52⤵
        
        PID:5564
        
        C:\Windows\system32\find.exe
        
        find ":"
        52⤵
        
        PID:5572
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        52⤵
        Delays execution with timeout.exe
        
        PID:5932
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        52⤵
        
        PID:5016
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7352
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        49⤵
        
        PID:2624
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        50⤵
        
        PID:4116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5E65.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5E65.tmp.bat
        50⤵
        
        PID:1068
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2624"
        51⤵
        Enumerates processes with tasklist
        
        PID:2604
        
        C:\Windows\system32\find.exe
        
        find ":"
        51⤵
        
        PID:4104
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        51⤵
        Delays execution with timeout.exe
        
        PID:4164
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2624"
        51⤵
        Enumerates processes with tasklist
        
        PID:4800
        
        C:\Windows\system32\find.exe
        
        find ":"
        51⤵
        
        PID:2360
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        51⤵
        Delays execution with timeout.exe
        
        PID:5076
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2624"
        51⤵
        Enumerates processes with tasklist
        
        PID:2240
        
        C:\Windows\system32\find.exe
        
        find ":"
        51⤵
        
        PID:3700
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        51⤵
        Delays execution with timeout.exe
        
        PID:5360
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        51⤵
        
        PID:2280
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        52⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7860
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        48⤵
        
        PID:4084
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        49⤵
        
        PID:3320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5DC9.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5DC9.tmp.bat
        49⤵
        
        PID:3692
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4084"
        50⤵
        Enumerates processes with tasklist
        
        PID:2688
        
        C:\Windows\system32\find.exe
        
        find ":"
        50⤵
        
        PID:4192
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        50⤵
        
        PID:4976
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        50⤵
        
        PID:4620
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        51⤵
        
        PID:6836
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        47⤵
        
        PID:3004
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        48⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6393.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp6393.tmp.bat
        48⤵
        
        PID:2304
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3004"
        49⤵
        
        PID:3556
        
        C:\Windows\system32\find.exe
        
        find ":"
        49⤵
        
        PID:2412
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        49⤵
        
        PID:3912
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        49⤵
        
        PID:5664
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        50⤵
        
        PID:6608
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        46⤵
        
        PID:2196
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        47⤵
        
        PID:1888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp61DF.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp61DF.tmp.bat
        47⤵
        
        PID:4928
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2196"
        48⤵
        Enumerates processes with tasklist
        
        PID:2524
        
        C:\Windows\system32\find.exe
        
        find ":"
        48⤵
        
        PID:3780
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        48⤵
        Delays execution with timeout.exe
        
        PID:584
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        48⤵
        
        PID:4260
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        49⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        45⤵
        
        PID:3964
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        46⤵
        
        PID:2520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5EB3.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5EB3.tmp.bat
        46⤵
        
        PID:4764
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3964"
        47⤵
        
        PID:1108
        
        C:\Windows\system32\find.exe
        
        find ":"
        47⤵
        
        PID:3932
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        47⤵
        
        PID:3520
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        47⤵
        
        PID:2972
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        48⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        44⤵
        
        PID:3864
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        45⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5E08.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5E08.tmp.bat
        45⤵
        
        PID:3352
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3864"
        46⤵
        
        PID:1968
        
        C:\Windows\system32\find.exe
        
        find ":"
        46⤵
        
        PID:4336
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        46⤵
        Delays execution with timeout.exe
        
        PID:2588
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3864"
        46⤵
        Enumerates processes with tasklist
        
        PID:3824
        
        C:\Windows\system32\find.exe
        
        find ":"
        46⤵
        
        PID:2772
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        46⤵
        Delays execution with timeout.exe
        
        PID:4820
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3864"
        46⤵
        
        PID:3028
        
        C:\Windows\system32\find.exe
        
        find ":"
        46⤵
        
        PID:900
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        46⤵
        Delays execution with timeout.exe
        
        PID:3488
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3864"
        46⤵
        
        PID:6100
        
        C:\Windows\system32\find.exe
        
        find ":"
        46⤵
        
        PID:3504
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        46⤵
        Delays execution with timeout.exe
        
        PID:2884
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3864"
        46⤵
        Enumerates processes with tasklist
        
        PID:6212
        
        C:\Windows\system32\find.exe
        
        find ":"
        46⤵
        
        PID:6732
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        46⤵
        
        PID:7096
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3864"
        46⤵
        
        PID:7020
        
        C:\Windows\system32\find.exe
        
        find ":"
        46⤵
        
        PID:3412
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        46⤵
        
        PID:4004
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3864"
        46⤵
        Enumerates processes with tasklist
        
        PID:5012
        
        C:\Windows\system32\find.exe
        
        find ":"
        46⤵
        
        PID:2692
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        46⤵
        Delays execution with timeout.exe
        
        PID:2692
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3864"
        46⤵
        
        PID:4172
        
        C:\Windows\system32\find.exe
        
        find ":"
        46⤵
        
        PID:6212
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        46⤵
        Delays execution with timeout.exe
        
        PID:7844
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        43⤵
        
        PID:3756
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        44⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp52E1.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp52E1.tmp.bat
        44⤵
        
        PID:4680
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3756"
        45⤵
        Enumerates processes with tasklist
        
        PID:3044
        
        C:\Windows\system32\find.exe
        
        find ":"
        45⤵
        
        PID:4396
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        45⤵
        Delays execution with timeout.exe
        
        PID:4628
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        45⤵
        
        PID:4288
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        46⤵
        
        PID:5672
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        42⤵
        
        PID:3616
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        43⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5274.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5274.tmp.bat
        43⤵
        
        PID:2292
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3616"
        44⤵
        
        PID:2056
        
        C:\Windows\system32\find.exe
        
        find ":"
        44⤵
        
        PID:2500
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        44⤵
        Delays execution with timeout.exe
        
        PID:3224
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        44⤵
        
        PID:4156
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        45⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        41⤵
        
        PID:3356
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        42⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5E66.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5E66.tmp.bat
        42⤵
        
        PID:2812
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3356"
        43⤵
        
        PID:3736
        
        C:\Windows\system32\find.exe
        
        find ":"
        43⤵
        
        PID:3464
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        43⤵
        
        PID:4572
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        43⤵
        
        PID:3200
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        44⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7128
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        40⤵
        
        PID:3192
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        41⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp57D1.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp57D1.tmp.bat
        41⤵
        
        PID:2860
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3192"
        42⤵
        Enumerates processes with tasklist
        
        PID:3252
        
        C:\Windows\system32\find.exe
        
        find ":"
        42⤵
        
        PID:2072
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        42⤵
        Delays execution with timeout.exe
        
        PID:2536
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        42⤵
        
        PID:4952
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        43⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        39⤵
        
        PID:3096
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        40⤵
        
        PID:4368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5522.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5522.tmp.bat
        40⤵
        
        PID:3980
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3096"
        41⤵
        
        PID:3344
        
        C:\Windows\system32\find.exe
        
        find ":"
        41⤵
        
        PID:3300
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        41⤵
        
        PID:3436
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3096"
        41⤵
        
        PID:2356
        
        C:\Windows\system32\find.exe
        
        find ":"
        41⤵
        
        PID:4732
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        41⤵
        Delays execution with timeout.exe
        
        PID:3896
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3096"
        41⤵
        
        PID:4988
        
        C:\Windows\system32\find.exe
        
        find ":"
        41⤵
        
        PID:2748
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        41⤵
        Delays execution with timeout.exe
        
        PID:4712
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3096"
        41⤵
        
        PID:3760
        
        C:\Windows\system32\find.exe
        
        find ":"
        41⤵
        
        PID:3052
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        41⤵
        
        PID:3972
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3096"
        41⤵
        
        PID:5972
        
        C:\Windows\system32\find.exe
        
        find ":"
        41⤵
        
        PID:5236
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        41⤵
        Delays execution with timeout.exe
        
        PID:5896
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3096"
        41⤵
        Enumerates processes with tasklist
        
        PID:6220
        
        C:\Windows\system32\find.exe
        
        find ":"
        41⤵
        
        PID:6740
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        41⤵
        Delays execution with timeout.exe
        
        PID:7108
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3096"
        41⤵
        
        PID:2408
        
        C:\Windows\system32\find.exe
        
        find ":"
        41⤵
        
        PID:6660
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        41⤵
        
        PID:3624
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3096"
        41⤵
        Enumerates processes with tasklist
        
        PID:5252
        
        C:\Windows\system32\find.exe
        
        find ":"
        41⤵
        
        PID:2068
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        41⤵
        
        PID:5252
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3096"
        41⤵
        Enumerates processes with tasklist
        
        PID:1568
        
        C:\Windows\system32\find.exe
        
        find ":"
        41⤵
        
        PID:7084
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        41⤵
        Delays execution with timeout.exe
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        38⤵
        
        PID:2388
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        39⤵
        
        PID:4148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp53AC.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp53AC.tmp.bat
        39⤵
        
        PID:5092
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2388"
        40⤵
        
        PID:3860
        
        C:\Windows\system32\find.exe
        
        find ":"
        40⤵
        
        PID:2236
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        40⤵
        Delays execution with timeout.exe
        
        PID:1700
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        40⤵
        
        PID:304
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        41⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        37⤵
        
        PID:2344
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        38⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5C43.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5C43.tmp.bat
        38⤵
        
        PID:4368
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2344"
        39⤵
        Enumerates processes with tasklist
        
        PID:2996
        
        C:\Windows\system32\find.exe
        
        find ":"
        39⤵
        
        PID:4404
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        39⤵
        
        PID:4296
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        39⤵
        
        PID:4508
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        40⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5184
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        36⤵
        
        PID:2208
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        37⤵
        
        PID:236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5256.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5256.tmp.bat
        37⤵
        
        PID:3008
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2208"
        38⤵
        
        PID:4512
        
        C:\Windows\system32\find.exe
        
        find ":"
        38⤵
        
        PID:3996
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        38⤵
        
        PID:4688
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        38⤵
        
        PID:3040
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        39⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        35⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        36⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp4F58.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp4F58.tmp.bat
        36⤵
        
        PID:3184
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2536"
        37⤵
        Enumerates processes with tasklist
        
        PID:4620
        
        C:\Windows\system32\find.exe
        
        find ":"
        37⤵
        
        PID:3212
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        37⤵
        Delays execution with timeout.exe
        
        PID:2680
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        37⤵
        
        PID:2872
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        38⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5E46.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5E46.tmp.bat
        35⤵
        
        PID:2332
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2660"
        36⤵
        
        PID:3716
        
        C:\Windows\system32\find.exe
        
        find ":"
        36⤵
        
        PID:4508
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        36⤵
        
        PID:1972
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        36⤵
        
        PID:3944
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        37⤵
        
        PID:6980
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        34⤵
        
        PID:3940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp59F3.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp59F3.tmp.bat
        34⤵
        
        PID:3432
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 828"
        35⤵
        
        PID:2840
        
        C:\Windows\system32\find.exe
        
        find ":"
        35⤵
        
        PID:5016
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        35⤵
        
        PID:3736
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        35⤵
        
        PID:4732
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        36⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        33⤵
        
        PID:3532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp4AC6.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp4AC6.tmp.bat
        33⤵
        
        PID:3736
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2796"
        34⤵
        
        PID:3880
        
        C:\Windows\system32\find.exe
        
        find ":"
        34⤵
        
        PID:3888
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        34⤵
        
        PID:3600
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        34⤵
        
        PID:4344
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        35⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        32⤵
        
        PID:4756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp56A8.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp56A8.tmp.bat
        32⤵
        
        PID:4148
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2684"
        33⤵
        Enumerates processes with tasklist
        
        PID:4016
        
        C:\Windows\system32\find.exe
        
        find ":"
        33⤵
        
        PID:4160
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        33⤵
        Delays execution with timeout.exe
        
        PID:4336
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        33⤵
        
        PID:4232
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        34⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5245.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5245.tmp.bat
        31⤵
        
        PID:5016
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 264"
        32⤵
        
        PID:4288
        
        C:\Windows\system32\find.exe
        
        find ":"
        32⤵
        
        PID:3956
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        32⤵
        Delays execution with timeout.exe
        
        PID:4632
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        32⤵
        
        PID:1284
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        33⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        30⤵
        
        PID:4244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp586D.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp586D.tmp.bat
        30⤵
        
        PID:3068
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2340"
        31⤵
        Enumerates processes with tasklist
        
        PID:892
        
        C:\Windows\system32\find.exe
        
        find ":"
        31⤵
        
        PID:2908
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        31⤵
        
        PID:1572
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2340"
        31⤵
        
        PID:2524
        
        C:\Windows\system32\find.exe
        
        find ":"
        31⤵
        
        PID:2036
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        31⤵
        
        PID:2968
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2340"
        31⤵
        Enumerates processes with tasklist
        
        PID:4016
        
        C:\Windows\system32\find.exe
        
        find ":"
        31⤵
        
        PID:3736
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        31⤵
        Delays execution with timeout.exe
        
        PID:3520
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2340"
        31⤵
        
        PID:3700
        
        C:\Windows\system32\find.exe
        
        find ":"
        31⤵
        
        PID:5168
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        31⤵
        
        PID:5420
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2340"
        31⤵
        Enumerates processes with tasklist
        
        PID:2616
        
        C:\Windows\system32\find.exe
        
        find ":"
        31⤵
        
        PID:5376
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        31⤵
        Delays execution with timeout.exe
        
        PID:5712
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2340"
        31⤵
        
        PID:6984
        
        C:\Windows\system32\find.exe
        
        find ":"
        31⤵
        
        PID:3276
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        31⤵
        Delays execution with timeout.exe
        
        PID:6616
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2340"
        31⤵
        Enumerates processes with tasklist
        
        PID:5712
        
        C:\Windows\system32\find.exe
        
        find ":"
        31⤵
        
        PID:5972
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        31⤵
        
        PID:3648
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2340"
        31⤵
        
        PID:7340
        
        C:\Windows\system32\find.exe
        
        find ":"
        31⤵
        
        PID:7672
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        31⤵
        
        PID:8056
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2340"
        31⤵
        Enumerates processes with tasklist
        
        PID:8116
        
        C:\Windows\system32\find.exe
        
        find ":"
        31⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        29⤵
        
        PID:3288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp4D84.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp4D84.tmp.bat
        29⤵
        
        PID:3488
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2256"
        30⤵
        
        PID:4588
        
        C:\Windows\system32\find.exe
        
        find ":"
        30⤵
        
        PID:4616
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        30⤵
        
        PID:4904
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        30⤵
        
        PID:4692
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp55AF.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp55AF.tmp.bat
        28⤵
        
        PID:2744
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1752"
        29⤵
        
        PID:4292
        
        C:\Windows\system32\find.exe
        
        find ":"
        29⤵
        
        PID:3112
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        29⤵
        Delays execution with timeout.exe
        
        PID:2632
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        29⤵
        
        PID:3192
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6592
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        27⤵
        
        PID:1720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5A60.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5A60.tmp.bat
        27⤵
        
        PID:1080
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2084"
        28⤵
        
        PID:4812
        
        C:\Windows\system32\find.exe
        
        find ":"
        28⤵
        
        PID:2396
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        28⤵
        
        PID:1968
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        28⤵
        
        PID:3316
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        29⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp562B.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp562B.tmp.bat
        26⤵
        
        PID:2740
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2068"
        27⤵
        Enumerates processes with tasklist
        
        PID:4072
        
        C:\Windows\system32\find.exe
        
        find ":"
        27⤵
        
        PID:1292
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        27⤵
        
        PID:2212
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2068"
        27⤵
        Enumerates processes with tasklist
        
        PID:3996
        
        C:\Windows\system32\find.exe
        
        find ":"
        27⤵
        
        PID:4440
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        27⤵
        
        PID:3252
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2068"
        27⤵
        Enumerates processes with tasklist
        
        PID:4028
        
        C:\Windows\system32\find.exe
        
        find ":"
        27⤵
        
        PID:3636
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        27⤵
        Delays execution with timeout.exe
        
        PID:3364
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2068"
        27⤵
        Enumerates processes with tasklist
        
        PID:3688
        
        C:\Windows\system32\find.exe
        
        find ":"
        27⤵
        
        PID:4976
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        27⤵
        
        PID:3688
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2068"
        27⤵
        
        PID:3308
        
        C:\Windows\system32\find.exe
        
        find ":"
        27⤵
        
        PID:3528
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        27⤵
        
        PID:2116
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2068"
        27⤵
        
        PID:3584
        
        C:\Windows\system32\find.exe
        
        find ":"
        27⤵
        
        PID:6188
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        27⤵
        
        PID:7076
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2068"
        27⤵
        Enumerates processes with tasklist
        
        PID:4228
        
        C:\Windows\system32\find.exe
        
        find ":"
        27⤵
        
        PID:2624
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        27⤵
        Delays execution with timeout.exe
        
        PID:5900
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        27⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        25⤵
        
        PID:4128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5B0B.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5B0B.tmp.bat
        25⤵
        
        PID:2720
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2748"
        26⤵
        
        PID:4084
        
        C:\Windows\system32\find.exe
        
        find ":"
        26⤵
        
        PID:4016
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        26⤵
        
        PID:3324
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        26⤵
        
        PID:1632
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        24⤵
        
        PID:624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp536D.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp536D.tmp.bat
        24⤵
        
        PID:4836
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2304"
        25⤵
        
        PID:2188
        
        C:\Windows\system32\find.exe
        
        find ":"
        25⤵
        
        PID:2564
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        25⤵
        Delays execution with timeout.exe
        
        PID:2648
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        25⤵
        
        PID:4248
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        26⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp53CB.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp53CB.tmp.bat
        23⤵
        
        PID:4064
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2260"
        24⤵
        
        PID:3872
        
        C:\Windows\system32\find.exe
        
        find ":"
        24⤵
        
        PID:4660
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        24⤵
        
        PID:4932
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        24⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        22⤵
        
        PID:2272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp48B4.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp48B4.tmp.bat
        22⤵
        
        PID:2392
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2132"
        23⤵
        
        PID:1588
        
        C:\Windows\system32\find.exe
        
        find ":"
        23⤵
        
        PID:1136
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        23⤵
        Delays execution with timeout.exe
        
        PID:3416
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        23⤵
        
        PID:3536
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        21⤵
        
        PID:3424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp586E.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp586E.tmp.bat
        21⤵
        
        PID:3304
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1284"
        22⤵
        
        PID:4404
        
        C:\Windows\system32\find.exe
        
        find ":"
        22⤵
        
        PID:5108
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        22⤵
        
        PID:1292
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1284"
        22⤵
        
        PID:5072
        
        C:\Windows\system32\find.exe
        
        find ":"
        22⤵
        
        PID:3996
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        22⤵
        
        PID:2684
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1284"
        22⤵
        Enumerates processes with tasklist
        
        PID:3356
        
        C:\Windows\system32\find.exe
        
        find ":"
        22⤵
        
        PID:2520
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        22⤵
        Delays execution with timeout.exe
        
        PID:4752
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1284"
        22⤵
        Enumerates processes with tasklist
        
        PID:1340
        
        C:\Windows\system32\find.exe
        
        find ":"
        22⤵
        
        PID:5292
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        22⤵
        Delays execution with timeout.exe
        
        PID:6140
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1284"
        22⤵
        
        PID:6084
        
        C:\Windows\system32\find.exe
        
        find ":"
        22⤵
        
        PID:5140
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        22⤵
        Delays execution with timeout.exe
        
        PID:2200
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1284"
        22⤵
        Enumerates processes with tasklist
        
        PID:7020
        
        C:\Windows\system32\find.exe
        
        find ":"
        22⤵
        
        PID:4756
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        22⤵
        Delays execution with timeout.exe
        
        PID:6088
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1284"
        22⤵
        
        PID:5000
        
        C:\Windows\system32\find.exe
        
        find ":"
        22⤵
        
        PID:5992
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        22⤵
        
        PID:6572
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1284"
        22⤵
        
        PID:7404
        
        C:\Windows\system32\find.exe
        
        find ":"
        22⤵
        
        PID:7732
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        22⤵
        
        PID:8148
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1284"
        22⤵
        
        PID:6316
        
        C:\Windows\system32\find.exe
        
        find ":"
        22⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        20⤵
        
        PID:4072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp4CB9.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp4CB9.tmp.bat
        20⤵
        
        PID:2592
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2372"
        21⤵
        
        PID:3200
        
        C:\Windows\system32\find.exe
        
        find ":"
        21⤵
        
        PID:3104
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        21⤵
        Delays execution with timeout.exe
        
        PID:3744
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        21⤵
        
        PID:1128
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5255.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5255.tmp.bat
        19⤵
        
        PID:5104
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1004"
        20⤵
        
        PID:3564
        
        C:\Windows\system32\find.exe
        
        find ":"
        20⤵
        
        PID:4276
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        20⤵
        Delays execution with timeout.exe
        
        PID:4544
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        20⤵
        
        PID:3248
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5216.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5216.tmp.bat
        18⤵
        
        PID:4968
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3000"
        19⤵
        Enumerates processes with tasklist
        
        PID:3228
        
        C:\Windows\system32\find.exe
        
        find ":"
        19⤵
        
        PID:4052
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        19⤵
        Delays execution with timeout.exe
        
        PID:4580
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3000"
        19⤵
        Enumerates processes with tasklist
        
        PID:2280
        
        C:\Windows\system32\find.exe
        
        find ":"
        19⤵
        
        PID:4648
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        19⤵
        
        PID:1720
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3000"
        19⤵
        Enumerates processes with tasklist
        
        PID:4996
        
        C:\Windows\system32\find.exe
        
        find ":"
        19⤵
        
        PID:4232
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        19⤵
        
        PID:4656
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        19⤵
        
        PID:3484
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2992 -s 852
        17⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp4D94.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp4D94.tmp.bat
        16⤵
        
        PID:876
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1160"
        17⤵
        Enumerates processes with tasklist
        
        PID:4552
        
        C:\Windows\system32\find.exe
        
        find ":"
        17⤵
        
        PID:4604
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        17⤵
        Delays execution with timeout.exe
        
        PID:4888
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        17⤵
        
        PID:3800
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        18⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        15⤵
        
        PID:1204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp49DC.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp49DC.tmp.bat
        15⤵
        
        PID:3260
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2356"
        16⤵
        
        PID:3460
        
        C:\Windows\system32\find.exe
        
        find ":"
        16⤵
        
        PID:3480
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        16⤵
        Delays execution with timeout.exe
        
        PID:3828
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        16⤵
        
        PID:3532
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        14⤵
        
        PID:1204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp4D75.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp4D75.tmp.bat
        14⤵
        
        PID:2888
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1988"
        15⤵
        
        PID:4500
        
        C:\Windows\system32\find.exe
        
        find ":"
        15⤵
        
        PID:4508
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        15⤵
        Delays execution with timeout.exe
        
        PID:4812
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1988"
        15⤵
        Enumerates processes with tasklist
        
        PID:2876
        
        C:\Windows\system32\find.exe
        
        find ":"
        15⤵
        
        PID:2384
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        15⤵
        Delays execution with timeout.exe
        
        PID:4016
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        15⤵
        
        PID:3096
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        16⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp4A49.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp4A49.tmp.bat
        13⤵
        
        PID:3488
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2932"
        14⤵
        Enumerates processes with tasklist
        
        PID:3588
        
        C:\Windows\system32\find.exe
        
        find ":"
        14⤵
        
        PID:3596
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        14⤵
        
        PID:3996
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        14⤵
        
        PID:3696
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        15⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp4CC9.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp4CC9.tmp.bat
        12⤵
        
        PID:2796
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2520"
        13⤵
        
        PID:3176
        
        C:\Windows\system32\find.exe
        
        find ":"
        13⤵
        
        PID:1256
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        13⤵
        
        PID:4356
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        13⤵
        
        PID:4316
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        14⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        11⤵
        
        PID:4108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp53EA.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp53EA.tmp.bat
        11⤵
        
        PID:1676
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1940"
        12⤵
        Enumerates processes with tasklist
        
        PID:3592
        
        C:\Windows\system32\find.exe
        
        find ":"
        12⤵
        
        PID:1932
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        12⤵
        Delays execution with timeout.exe
        
        PID:4640
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        12⤵
        
        PID:3992
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        10⤵
        
        PID:2660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp470E.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp470E.tmp.bat
        10⤵
        
        PID:800
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2496"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:716
        
        C:\Windows\system32\find.exe
        
        find ":"
        11⤵
        
        PID:2720
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        11⤵
        Delays execution with timeout.exe
        
        PID:1824
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        11⤵
        
        PID:3708
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        12⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5457.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5457.tmp.bat
        8⤵
        
        PID:4992
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2780"
        9⤵
        Enumerates processes with tasklist
        
        PID:4456
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:3844
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:3932
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2780"
        9⤵
        Enumerates processes with tasklist
        
        PID:4952
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:5072
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        
        PID:3944
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2780"
        9⤵
        
        PID:4792
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:4144
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:3424
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2780"
        9⤵
        
        PID:1268
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:2632
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:5412
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2780"
        9⤵
        
        PID:5916
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:6112
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        
        PID:2812
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2780"
        9⤵
        Enumerates processes with tasklist
        
        PID:7000
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:5232
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        
        PID:5488
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2780"
        9⤵
        
        PID:7020
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:5724
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:1736
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2780"
        9⤵
        Enumerates processes with tasklist
        
        PID:7460
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:7772
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        
        PID:8180
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2780"
        9⤵
        Enumerates processes with tasklist
        
        PID:6664
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:6020
      - C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        7⤵
        
        PID:3168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp52D1.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp52D1.tmp.bat
        7⤵
        
        PID:4436
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2656"
        8⤵
        Enumerates processes with tasklist
        
        PID:3300
        
        C:\Windows\system32\find.exe
        
        find ":"
        8⤵
        
        PID:3484
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:3836
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        8⤵
        
        PID:4780
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5236
    - - C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        5⤵
        Executes dropped EXE
        
        PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
      "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2752
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        5⤵
        
        PID:2024
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.bat
        5⤵
        
        PID:3176
      - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2752"
        6⤵
        
        PID:4048
      - C:\Windows\system32\find.exe
        
        find ":"
        6⤵
        
        PID:2224
      - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        6⤵
        
        PID:1576
      - C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        6⤵
        
        PID:4412
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        7⤵
        
        PID:1932
- - C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
    "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
    3⤵
    - Executes dropped EXE
    PID:2736
- C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
  "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
  2⤵
  - Executes dropped EXE
  PID:2692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "542382996-893712687-452265968-398736235-10885531618934022541794425350-1334389271"
1⤵
PID:2932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-840220061-1903426685-20929525739829646641534311053-203990971620481628221561200267"
1⤵
PID:1240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "72575231911959356371479975436295234976501817960-698651753-371287647-276275577"
1⤵
PID:1204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8361498201225527859149069187480720086-972452708-821252673-44263638279360706"
1⤵
PID:2780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8441018649404517436092208261235449482315776819106160621701791980-929929071"
1⤵
PID:2068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2073149201164123992-1077615712-4430650141489736576-759339342463495028-750978335"
1⤵
PID:2340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2113465937-1227151756-42992416519802469441451865913779502140-1586909827-941424321"
1⤵
PID:2832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-823347876-6641092466509837275297675632011463913173607732-1406419305-638045736"
1⤵
PID:2256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1804099053-740694610891056462-744564096-1988768148-467585623-2039713828-715469007"
1⤵
PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE

Filesize
111KB

MD5
86de4e40528fd099ae01872b6af837cf

SHA1
c616d8e3dc5643a15127dce69a327ce37a6b8ab8

SHA256
7485b221926010f27cda7f15f35a5c465558eb8c20b4fc37053850ed2b4a211a

SHA512
e9912f89c17ff6e7cd897d3256a2a4cd097090dcfee2a8dd85d98de0e618513efe8d3508cca5cbeb2711f27b4602c22cadd25f8eb1b417e7244da54a5db3a4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp470E.tmp.bat

Filesize
198B

MD5
645e44fab11a75b78ffe4459808cf1ff

SHA1
2923fcf08558fa94e4ab4beaa90b46b03e35f555

SHA256
9503fbd75a773347ee1022206190bef2910bcf8728352dba5bc19c8f74a249cb

SHA512
e00b833cf6e029817c29463ea70a3cd59998a2751f2e5930cc750daaae36656a4e1b301be83af3c2f22b51d266ae809a68f1f2ff35d8289f3d9943fc6d29aa0b

Download Submit
memory/2736-10-0x0000000000D30000-0x0000000000D52000-memory.dmp

Filesize
136KB

Download
memory/3532-83-0x0000000000A20000-0x0000000000A42000-memory.dmp

Filesize
136KB

Download