toxiceye | 9d6024dfb9f60054eb1316eb33bf8cbc5c802d9e477a9603db5e1ed585e556f8

Analysis

max time kernel
0s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-08-2024 23:58

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

BootstrapperV1.16.exe
Size

381KB
MD5

12d943d0d655d4d54b91d175c3e46e02
SHA1

9b115a4874f3da04e29315e09e50a2d61b826de8
SHA256

9d6024dfb9f60054eb1316eb33bf8cbc5c802d9e477a9603db5e1ed585e556f8
SHA512

1746222789c3f480f9364f3dd654f41be5ed3d520a58f5cd69e0cd08a8d59b81a796c6ac3e6603db493f3d5a48bc748280e19cfd48f4925f7fc38b16b9e38640
SSDEEP

6144:mSncRleSncRlFSncRl0snwou0bUrCsnwou0bUr:r4p4O4Dnwou5vnwou5

Score

10^/10

toxiceye discovery rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot7302074945:AAGKx5TnjPyRM_fqN4XQLd4uz-PUp4nl8w4/sendMessage?chat_id=6414125020

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BootstrapperV1.16.exeBOOTSTRAPPERV1.16.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	BootstrapperV1.16.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	BOOTSTRAPPERV1.16.EXE

Executes dropped EXE 2 IoCs

Processes:

STUB DO NOT RUN THISS.EXESTUB DO NOT RUN THISS.EXE

pid process

1500 STUB DO NOT RUN THISS.EXE
2368 STUB DO NOT RUN THISS.EXE

pid	process
1500	STUB DO NOT RUN THISS.EXE
2368	STUB DO NOT RUN THISS.EXE

Enumerates processes with tasklist 1 TTPs 30 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
3748	tasklist.exe
3748	tasklist.exe
5420	tasklist.exe
4304	tasklist.exe
1176	tasklist.exe
3988	tasklist.exe
5880	tasklist.exe
6440	tasklist.exe
3548	tasklist.exe
5152	tasklist.exe
3904	tasklist.exe
4072	tasklist.exe
6280	tasklist.exe
2112	tasklist.exe
5816	tasklist.exe
5132	tasklist.exe
5316	tasklist.exe
3092	tasklist.exe
2908	tasklist.exe
3016	tasklist.exe
4424	tasklist.exe
3548	tasklist.exe
3932	tasklist.exe
2868	tasklist.exe
6320	tasklist.exe
4244	tasklist.exe
2712	tasklist.exe
4184	tasklist.exe
864	tasklist.exe
1628	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

BootstrapperV1.16.exeBOOTSTRAPPERV1.16.EXEBOOTSTRAPPERV1.16.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV1.16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOTSTRAPPERV1.16.EXE

Delays execution with timeout.exe 22 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
5584	timeout.exe
4768	timeout.exe
5136	timeout.exe
1816	timeout.exe
2112	timeout.exe
3124	timeout.exe
1676	timeout.exe
6744	timeout.exe
4580	timeout.exe
4608	timeout.exe
2412	timeout.exe
1392	timeout.exe
2396	timeout.exe
6140	timeout.exe
5008	timeout.exe
6148	timeout.exe
3120	timeout.exe
3748	timeout.exe
4416	timeout.exe
5212	timeout.exe
5752	timeout.exe
5984	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 43 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4960	schtasks.exe
5248	schtasks.exe
3880	schtasks.exe
1724	schtasks.exe
4648	schtasks.exe
4604	schtasks.exe
3604	schtasks.exe
6572	schtasks.exe
6784	schtasks.exe
6840	schtasks.exe
6860	schtasks.exe
1380	schtasks.exe
5100	schtasks.exe
5668	schtasks.exe
6904	schtasks.exe
5968	schtasks.exe
6552	schtasks.exe
3940	schtasks.exe
1392	schtasks.exe
1588	schtasks.exe
4004	schtasks.exe
312	schtasks.exe
5872	schtasks.exe
5960	schtasks.exe
668	schtasks.exe
4664	schtasks.exe
5276	schtasks.exe
3112	schtasks.exe
4480	schtasks.exe
5008	schtasks.exe
5440	schtasks.exe
3632	schtasks.exe
812	schtasks.exe
5460	schtasks.exe
1032	schtasks.exe
5556	schtasks.exe
5188	schtasks.exe
6896	schtasks.exe
536	schtasks.exe
448	schtasks.exe
6000	schtasks.exe
5572	schtasks.exe
6040	schtasks.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

BootstrapperV1.16.exeBOOTSTRAPPERV1.16.EXE

description	pid	process	target process
PID 2732 wrote to memory of 1360	2732	BootstrapperV1.16.exe	BOOTSTRAPPERV1.16.EXE
PID 2732 wrote to memory of 1360	2732	BootstrapperV1.16.exe	BOOTSTRAPPERV1.16.EXE
PID 2732 wrote to memory of 1360	2732	BootstrapperV1.16.exe	BOOTSTRAPPERV1.16.EXE
PID 2732 wrote to memory of 1500	2732	BootstrapperV1.16.exe	STUB DO NOT RUN THISS.EXE
PID 2732 wrote to memory of 1500	2732	BootstrapperV1.16.exe	STUB DO NOT RUN THISS.EXE
PID 1360 wrote to memory of 4308	1360	BOOTSTRAPPERV1.16.EXE	BOOTSTRAPPERV1.16.EXE
PID 1360 wrote to memory of 4308	1360	BOOTSTRAPPERV1.16.EXE	BOOTSTRAPPERV1.16.EXE
PID 1360 wrote to memory of 4308	1360	BOOTSTRAPPERV1.16.EXE	BOOTSTRAPPERV1.16.EXE
PID 1360 wrote to memory of 2368	1360	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE
PID 1360 wrote to memory of 2368	1360	BOOTSTRAPPERV1.16.EXE	STUB DO NOT RUN THISS.EXE

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.16.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.16.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
  "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
    "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4308
  - - C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
      "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
      4⤵
      PID:3268
    - - C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        5⤵
        
        PID:312
      - C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        6⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        7⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        8⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        9⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        10⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        11⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        12⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        13⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        14⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        15⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        16⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        17⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        18⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        19⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        20⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        21⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        22⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        23⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        24⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        25⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        26⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        27⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        28⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        29⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        30⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        31⤵
        
        PID:6052
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        32⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        33⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        34⤵
        
        PID:6124
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        35⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        36⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        37⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        38⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        39⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        40⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        41⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        42⤵
        
        PID:6336
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        43⤵
        
        PID:6696
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        44⤵
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPERV1.16.EXE"
        45⤵
        
        PID:6440
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        45⤵
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        44⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        43⤵
        
        PID:6768
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        42⤵
        
        PID:6372
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        41⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        40⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        39⤵
        
        PID:5672
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        40⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        38⤵
        
        PID:5556
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        39⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6840
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        37⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        36⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        35⤵
        
        PID:1424
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        36⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpF0B9.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpF0B9.tmp.bat
        36⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        34⤵
        
        PID:2372
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        33⤵
        
        PID:5640
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        34⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpEF32.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpEF32.tmp.bat
        34⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        32⤵
        
        PID:2776
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpF1E2.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpF1E2.tmp.bat
        33⤵
        
        PID:6572
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        31⤵
        
        PID:5956
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        32⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpF201.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpF201.tmp.bat
        32⤵
        
        PID:6916
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        30⤵
        
        PID:6060
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpE7DF.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpE7DF.tmp.bat
        31⤵
        
        PID:4976
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 6060"
        32⤵
        Enumerates processes with tasklist
        
        PID:6280
        
        C:\Windows\system32\find.exe
        
        find ":"
        32⤵
        
        PID:6296
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        29⤵
        
        PID:5676
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpEB5A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpEB5A.tmp.bat
        30⤵
        
        PID:6528
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        28⤵
        
        PID:3220
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpE60A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpE60A.tmp.bat
        29⤵
        
        PID:3120
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3220"
        30⤵
        Enumerates processes with tasklist
        
        PID:6440
        
        C:\Windows\system32\find.exe
        
        find ":"
        30⤵
        
        PID:6508
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        27⤵
        
        PID:5976
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpE2CE.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpE2CE.tmp.bat
        28⤵
        
        PID:4184
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 5976"
        29⤵
        Enumerates processes with tasklist
        
        PID:5880
        
        C:\Windows\system32\find.exe
        
        find ":"
        29⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        26⤵
        
        PID:5688
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpE3A9.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpE3A9.tmp.bat
        27⤵
        
        PID:2148
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 5688"
        28⤵
        Enumerates processes with tasklist
        
        PID:2908
        
        C:\Windows\system32\find.exe
        
        find ":"
        28⤵
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        25⤵
        
        PID:5336
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpE138.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpE138.tmp.bat
        26⤵
        
        PID:1688
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 5336"
        27⤵
        Enumerates processes with tasklist
        
        PID:3092
        
        C:\Windows\system32\find.exe
        
        find ":"
        27⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        24⤵
        
        PID:3600
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpE1A5.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpE1A5.tmp.bat
        25⤵
        
        PID:5876
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3600"
        26⤵
        Enumerates processes with tasklist
        
        PID:3988
        
        C:\Windows\system32\find.exe
        
        find ":"
        26⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        23⤵
        
        PID:1364
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpE0FA.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpE0FA.tmp.bat
        24⤵
        
        PID:1412
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1364"
        25⤵
        Enumerates processes with tasklist
        
        PID:5420
        
        C:\Windows\system32\find.exe
        
        find ":"
        25⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        22⤵
        
        PID:5040
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpDBBA.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpDBBA.tmp.bat
        23⤵
        
        PID:5952
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 5040"
        24⤵
        Enumerates processes with tasklist
        
        PID:1628
        
        C:\Windows\system32\find.exe
        
        find ":"
        24⤵
        
        PID:2312
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        24⤵
        Delays execution with timeout.exe
        
        PID:6744
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        21⤵
        
        PID:1336
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpDD9E.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpDD9E.tmp.bat
        22⤵
        
        PID:2016
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1336"
        23⤵
        Enumerates processes with tasklist
        
        PID:2868
        
        C:\Windows\system32\find.exe
        
        find ":"
        23⤵
        
        PID:1928
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        23⤵
        Delays execution with timeout.exe
        
        PID:6148
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        20⤵
        
        PID:5116
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpDDEC.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpDDEC.tmp.bat
        21⤵
        
        PID:4512
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 5116"
        22⤵
        Enumerates processes with tasklist
        
        PID:5152
        
        C:\Windows\system32\find.exe
        
        find ":"
        22⤵
        
        PID:5364
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        22⤵
        Delays execution with timeout.exe
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        19⤵
        
        PID:4256
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD7F1.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD7F1.tmp.bat
        20⤵
        
        PID:5680
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4256"
        21⤵
        Enumerates processes with tasklist
        
        PID:5132
        
        C:\Windows\system32\find.exe
        
        find ":"
        21⤵
        
        PID:4088
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        21⤵
        Delays execution with timeout.exe
        
        PID:5008
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        21⤵
        
        PID:7164
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        18⤵
        
        PID:2016
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD87E.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD87E.tmp.bat
        19⤵
        
        PID:5352
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2016"
        20⤵
        Enumerates processes with tasklist
        
        PID:864
        
        C:\Windows\system32\find.exe
        
        find ":"
        20⤵
        
        PID:5904
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        20⤵
        Delays execution with timeout.exe
        
        PID:4416
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2016"
        20⤵
        Enumerates processes with tasklist
        
        PID:6320
        
        C:\Windows\system32\find.exe
        
        find ":"
        20⤵
        
        PID:6408
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        17⤵
        
        PID:2328
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD570.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD570.tmp.bat
        18⤵
        
        PID:5992
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2328"
        19⤵
        Enumerates processes with tasklist
        
        PID:3748
        
        C:\Windows\system32\find.exe
        
        find ":"
        19⤵
        
        PID:5488
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        19⤵
        Delays execution with timeout.exe
        
        PID:3124
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        19⤵
        
        PID:7020
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        16⤵
        
        PID:3600
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD09E.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD09E.tmp.bat
        17⤵
        
        PID:1972
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3600"
        18⤵
        Enumerates processes with tasklist
        
        PID:5316
        
        C:\Windows\system32\find.exe
        
        find ":"
        18⤵
        
        PID:5324
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        18⤵
        Delays execution with timeout.exe
        
        PID:5584
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3600"
        18⤵
        Enumerates processes with tasklist
        
        PID:4072
        
        C:\Windows\system32\find.exe
        
        find ":"
        18⤵
        
        PID:5780
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        18⤵
        Delays execution with timeout.exe
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        15⤵
        
        PID:4588
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD7D2.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD7D2.tmp.bat
        16⤵
        
        PID:3156
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4588"
        17⤵
        Enumerates processes with tasklist
        
        PID:4184
        
        C:\Windows\system32\find.exe
        
        find ":"
        17⤵
        
        PID:5160
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        17⤵
        Delays execution with timeout.exe
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        14⤵
        
        PID:4772
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD486.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD486.tmp.bat
        15⤵
        
        PID:5728
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4772"
        16⤵
        Enumerates processes with tasklist
        
        PID:2712
        
        C:\Windows\system32\find.exe
        
        find ":"
        16⤵
        
        PID:4376
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        16⤵
        Delays execution with timeout.exe
        
        PID:5136
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        16⤵
        
        PID:7012
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        13⤵
        
        PID:3728
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD64B.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD64B.tmp.bat
        14⤵
        
        PID:2128
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3728"
        15⤵
        Enumerates processes with tasklist
        
        PID:5816
        
        C:\Windows\system32\find.exe
        
        find ":"
        15⤵
        
        PID:5568
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        15⤵
        Delays execution with timeout.exe
        
        PID:6140
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        15⤵
        
        PID:7088
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        12⤵
        
        PID:4788
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpCB20.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpCB20.tmp.bat
        13⤵
        
        PID:4520
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4788"
        14⤵
        Enumerates processes with tasklist
        
        PID:3016
        
        C:\Windows\system32\find.exe
        
        find ":"
        14⤵
        
        PID:4540
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        14⤵
        Delays execution with timeout.exe
        
        PID:2412
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        14⤵
        
        PID:3476
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        11⤵
        
        PID:964
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD1F6.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD1F6.tmp.bat
        12⤵
        
        PID:2444
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 964"
        13⤵
        Enumerates processes with tasklist
        
        PID:3904
        
        C:\Windows\system32\find.exe
        
        find ":"
        13⤵
        
        PID:3312
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        13⤵
        Delays execution with timeout.exe
        
        PID:4580
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        13⤵
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        10⤵
        
        PID:2872
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpCC58.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpCC58.tmp.bat
        11⤵
        
        PID:1512
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2872"
        12⤵
        Enumerates processes with tasklist
        
        PID:4424
        
        C:\Windows\system32\find.exe
        
        find ":"
        12⤵
        
        PID:2552
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        12⤵
        Delays execution with timeout.exe
        
        PID:4768
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        12⤵
        
        PID:5236
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        9⤵
        
        PID:4748
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpC63E.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpC63E.tmp.bat
        10⤵
        
        PID:5000
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4748"
        11⤵
        Enumerates processes with tasklist
        
        PID:4304
        
        C:\Windows\system32\find.exe
        
        find ":"
        11⤵
        
        PID:4812
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        11⤵
        Delays execution with timeout.exe
        
        PID:4608
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        11⤵
        
        PID:4660
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        8⤵
        
        PID:2508
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD467.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD467.tmp.bat
        9⤵
        
        PID:5764
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2508"
        10⤵
        Enumerates processes with tasklist
        
        PID:2112
        
        C:\Windows\system32\find.exe
        
        find ":"
        10⤵
        
        PID:5388
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        10⤵
        Delays execution with timeout.exe
        
        PID:2396
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        10⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        7⤵
        
        PID:4396
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD2FF.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD2FF.tmp.bat
        8⤵
        
        PID:5376
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4396"
        9⤵
        Enumerates processes with tasklist
        
        PID:3932
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:1868
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:5212
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        9⤵
        
        PID:7048
      - C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        6⤵
        
        PID:4148
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpC767.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpC767.tmp.bat
        7⤵
        
        PID:3128
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4148"
        8⤵
        Enumerates processes with tasklist
        
        PID:3748
        
        C:\Windows\system32\find.exe
        
        find ":"
        8⤵
        
        PID:1792
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:5984
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        8⤵
        
        PID:5096
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5276
    - - C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
        5⤵
        
        PID:1336
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1392
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpC8DE.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpC8DE.tmp.bat
        6⤵
        
        PID:796
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1336"
        7⤵
        Enumerates processes with tasklist
        
        PID:4244
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2268
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3120
        
        C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        7⤵
        
        PID:5560
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:668
  - - C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
      "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
      4⤵
      PID:3304
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4004
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpCDDF.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpCDDF.tmp.bat
        5⤵
        
        PID:2024
      - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3304"
        6⤵
        Enumerates processes with tasklist
        
        PID:3548
      - C:\Windows\system32\find.exe
        
        find ":"
        6⤵
        
        PID:3260
      - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        6⤵
        Delays execution with timeout.exe
        
        PID:3748
      - C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        6⤵
        
        PID:1792
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6860
- - C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
    "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
    3⤵
    - Executes dropped EXE
    PID:2368
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3632
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpC6CA.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpC6CA.tmp.bat
      4⤵
      PID:4676
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2368"
        5⤵
        Enumerates processes with tasklist
        
        PID:1176
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:4572
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1392
    - - C:\Users\ToxicEye\rat.exe
        
        "rat.exe"
        5⤵
        
        PID:3248
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5556
- C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE
  "C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE"
  2⤵
  - Executes dropped EXE
  PID:1500
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3880
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpC294.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpC294.tmp.bat
    3⤵
    PID:3988
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 1500"
      4⤵
      Enumerates processes with tasklist
      PID:3548
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:4896
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2112
  - - C:\Users\ToxicEye\rat.exe
      "rat.exe"
      4⤵
      PID:4404
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\STUB DO NOT RUN THISS.EXE.log

Filesize
1KB

MD5
5cb90c90e96a3b36461ed44d339d02e5

SHA1
5508281a22cca7757bc4fbdb0a8e885c9f596a04

SHA256
34c15d8e79fef4bddec7e34f3426df3b68f8fc6deac29ea12d110f6c529fe3bb

SHA512
63735938c841c28824e3482559df18839930acc5ea8600b1074439b70a2f600a92f41593568e49991f25f079e7f7361b4f1678feadbf004f6e9e4d51d36598d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\STUB DO NOT RUN THISS.EXE

Filesize
111KB

MD5
86de4e40528fd099ae01872b6af837cf

SHA1
c616d8e3dc5643a15127dce69a327ce37a6b8ab8

SHA256
7485b221926010f27cda7f15f35a5c465558eb8c20b4fc37053850ed2b4a211a

SHA512
e9912f89c17ff6e7cd897d3256a2a4cd097090dcfee2a8dd85d98de0e618513efe8d3508cca5cbeb2711f27b4602c22cadd25f8eb1b417e7244da54a5db3a4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC294.tmp.bat

Filesize
198B

MD5
5b0ee6f2a272493d19fca2b1fbf1ace7

SHA1
fdb4c1ab2aeecea5e289d3eafd1809257ad7e45b

SHA256
682e1c280246b4b6ed475f4e64906ca1172bf046f6f37b5ad53396f3fb5c579e

SHA512
ffbc51a0f31ab22cb341e7963d33c452686bce6851f87457db6a5c1d11159f01289647d2bca69f0d4815d487999cfd004fb5c5509e848701bc10fe4689abdad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC63E.tmp.bat

Filesize
198B

MD5
689714ab88cff204632a4adcf8a58b83

SHA1
69fcd9683df87d26f44aa4b8a43ac33355d97854

SHA256
3879b56c32134aa55c7e2d33241bcd0195928dd77266707e8c30ff94c1b8b608

SHA512
1b16cb56952210b8334e4205c4ab9abb70c5433b4d5138baa6771e4988c284c2148987a51ab048acac8f41620842b1ef591f15dcc66392ee5b0122390624401f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC6CA.tmp.bat

Filesize
198B

MD5
4e2e0a204b3cff03149590d4b7ff07ae

SHA1
5646adede7ad50929f9ab7f0e02a568b16c43c16

SHA256
4de2a9137f6621a2ee8073a31810e0edae652e057e099ae53a22d17116763399

SHA512
278b4b70ff2de049415a5861718073bde7c8c9181650e39965eb0a44d84a8d2a981fd632f11b5dcc1bc1df2c41ba4d545ff7060f187bf6a8abcfdb060aa084f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC767.tmp.bat

Filesize
198B

MD5
d32276856e4da4c8d83b9c0f0052fc03

SHA1
d7569387181e193f6ca31ad9e8e8fa67f095a5c6

SHA256
3ce0e21cc05277a46baa0674bb7aa9df34a8e5bebc55f5b9262da1f918166127

SHA512
8d0386ce803010ed89649a39f8412383dbb8e75ed7f9fc92c1388a1489d02d3693ad66728d534b2cd9ea3b6f53832e84cf3b96f95f4137ddf9ddebcfdef6f39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC8DE.tmp.bat

Filesize
198B

MD5
ef033832f6ae7af87b7900e923bc9318

SHA1
ac7df70f636d0b624a1032df6c56ee9195bc13b1

SHA256
ad88166208874553ab0c374c33bb5b880c0b32973911127a426a92ee605f1229

SHA512
c09585a667b0a89cfd6be570ee802383699734368545491b3d10e90ddb5f748341b9db0a0cb32064f36aa0ae20f1fd3363af0de1d29c667f40195ecfaeb5bb2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCB20.tmp.bat

Filesize
198B

MD5
0fa489f6b9120b3ab2b38466d80931f9

SHA1
d1968a72cfbabf626f151d53e1dd244fb8507b06

SHA256
bcb118686fe1d179a88673376a1c409b44bb05ee48e37874f58582aca9323ef8

SHA512
0cf07b5cb8f902b054b81a8b83dcf6fbb9c5e3769c7532eb7ed131b4b5c281a055de535b8a203e27e100027eef27b63ed2009344e67e4f81e9d8ea6f167c194a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCC58.tmp.bat

Filesize
198B

MD5
712a8e0db1afd2cc94b82faf20191348

SHA1
aadca7d2a1ea4ffd14f0fc093cf1003f230ac5e7

SHA256
e32653c3217876a9f7a022da28644c50b9ebde3007572a220189bbb9fea3da37

SHA512
485ff649213058d678b9ce053d5651fad3445871dcc649f25735115617a5d899fa7759ed54afbedbe7b977733b3eac1653d041119304d1c657c54b0f5f181448

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCDDF.tmp.bat

Filesize
198B

MD5
4ff8bcdf0f6015b6df852d02de3de25d

SHA1
68b2d59eb9b008f35ba16bd275813aa56380787c

SHA256
17443e0403dc322a53d22be4472fbfe949f25cb32aaf41b3111cd05818514f3b

SHA512
8eacc01c7b23fbdbb5bf8602d5fe8b3d28d9a290265c5659b6f41b969dc54e4c7dc54bfb617fc80863d74eef417de448376544290e7ae1fea541f2b0199e5f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD09E.tmp.bat

Filesize
198B

MD5
a2a19d6d7c14e783086a5ad0f00c97be

SHA1
5017555071816441f266098da201b707704bda3a

SHA256
7035cf464e806fc688d27006d605edfa8bd1c5d214dc0cc576da20931dbf2bfc

SHA512
d5f687d7e365c0e7298386248ab2277144436c6712f656c1f56688702fb8d975cf968d474a76998dbed9f29b129a5157ace6f3613356c2296f8fc9ce67526f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD1F6.tmp.bat

Filesize
197B

MD5
c3661b0eee4b1c8b631468a622bf01ec

SHA1
67925a6efcc0216212449bf8c58c07c96d450dbe

SHA256
846efc1dd0eeebe3d3c9b40b2b42e07425c8c30de9f89986f3d24b37b7868c3b

SHA512
f3d6398a7729cf74e43df24f0d3ad38399055a3a577f12c2c7b60369b5c7515d183bd2ff199088315f189361771604e5f51a207ca56289a3c0f61ae6506c812d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD2FF.tmp.bat

Filesize
198B

MD5
415253c7c5b646ca7d8131c14fc1183d

SHA1
2bf67db6e384f3f569a473b7eb2e09ed0bbd0167

SHA256
8818385ed79c623d596d0f6cdfedc7ba41c5880ba75bcdd8040b4b1f5d37e880

SHA512
7b9da6ac3331887068404f9b026d396a9910cd4dc5408ba9c2ad0ce7082cb685688dcac4f4b2edfcc457da8ec6d6cc1cb2d846b2c12633705d08a2ee80aae322

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD467.tmp.bat

Filesize
198B

MD5
6b054e979bc3619d31f600f5b0fe86e2

SHA1
634611ecd6293bffc9177af7b3faa0a39c5f4c46

SHA256
23ef91e66ff69026917966900e53da9fc590e36197bae2b533fda5a34abaa2e6

SHA512
050d56749211ff9a74ecf28d8f9a0052b0b7f1786403cf7eb2db9eb102d7877e6550da6f7e1f3603001c30e88d87d7413e128dcd8db035531b247ea2e3d68671

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD486.tmp.bat

Filesize
198B

MD5
ec222a228ca73d37d043baa3c99bd8da

SHA1
7062f7e6a6839f3db0c31dcfb1b8e7fd5ec4b73f

SHA256
0cb15f80b3767af58a93c0b2c2cc5a7f1eaf1900cfe2e586972141f8fd2347fe

SHA512
b4b54e79492e104ce244a03580b96d6cfb275786ff4ff378ac470cb4d454ea425767d68ad66205a63eed064bce52af707db8bb9c660f058fc91bac4082c4e187

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD570.tmp.bat

Filesize
198B

MD5
05a1487cd6391b169d92a7b978255290

SHA1
b84e01d857c509d05f68d36428537fe7b36afdcc

SHA256
9aaafce5fa17ed6246bff1418564aff7166bfbad840d1e7e5776effa6c4e7e25

SHA512
4b708dcdf922c5b8591da8bc37724ce7270a4ce011fa7486bb13da9a0408fa903d64e54f3536b1d3e790d6a0713473cd21267b50ed6795a3f92e38749ac670d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD64B.tmp.bat

Filesize
198B

MD5
dbf12e7f884c8b8342be8637d974b3e4

SHA1
e154601f23500f737b22fd303c5bc21247eab6f7

SHA256
de64503c57bf3d39dccd907bec4db8ebec0b231e5cfce6ae11507950714033f8

SHA512
4bc4db3f8d423cc2ef281e29dc9410768e1e6525b4c8043d22e96c75161025b3dbf9342df46b6887bd6d31ab0e5aa43cd0de9695552b5f0f1f125aeda56d52c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD7D2.tmp.bat

Filesize
198B

MD5
499bd2208e5e5707afccff7baab8d9e9

SHA1
cb3b06f3a4096ce13a49ec0e66da2e0d682dea4f

SHA256
705b94fb1b39b43e030e62ee10d489d5733174b986a63a805c01f2fa6cd4935e

SHA512
66d3ce5fd00fa6c829b902427956fbd037618b11a57e221af62b713233f859fc773365d22a7156db214dff5a27a3232269aded4fb56c2829009d24a2d337f147

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD7F1.tmp.bat

Filesize
198B

MD5
81405e14d63ce4db4ac65f8b1c13e7d3

SHA1
996a88bdab66a2e1f50f7585643377635e11c83e

SHA256
ef7dcb6468d3c2494fcf0ba65e86e99863282114ece96f269a3e02c242b9488b

SHA512
2fcf24b5d92effd813b735a1ec9dd85cbe0981cc8932247ec0d293dc69437ed6ef02031d2effd8c14af54a0ff190814e6f6daad94f72d558869da403640aa3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD87E.tmp.bat

Filesize
198B

MD5
25e55c66ea5c28ffae9ad31078341fe8

SHA1
9111e170c968b836b9bac9578b71618f9e6e729c

SHA256
1033c1a9ee822993da4231c13440dbe96724fcebf02065cb08555132d53146a8

SHA512
d3960fcf7c56d4a8bbc16f61e8bded816c66b2b4ded820a9098731e3adfff1a93a62319dc897199a5ff78a405c6deab81e5fc44d6130a8d4ab7785ebe9f83dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDBBA.tmp.bat

Filesize
198B

MD5
1beabaae4f827c1be50f9055f1ebe100

SHA1
b2345d3b2c0b8f40c64a8c091dae859e1f8e80ed

SHA256
921a9f7b4d792b2b89afb141a9e3b754b59c25cbdfe5fcf4dd76aaa0fa911398

SHA512
5ca7f0f70df954f3e13dbd36c0c87a9f306166b39f7da6d5618bb26e89ead8b02ff70e1c6091d3dbc7c6fec05f53c00ba052e3f9c881d28bae0501602a0b6a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDDEC.tmp.bat

Filesize
198B

MD5
d9ab541eda942a91622fe443b11a9dd4

SHA1
4802c62c545d949ba44a957d18b3f91247e2cdca

SHA256
4c72ce0aec9274873b1a8c695c414e51d119c666443bf435c035edf3fc5538c8

SHA512
70e4d70f5f9e28bb7d0a4ed7b1002a4778dec6ea7785243701dde2e14fe0976077537a63acf02a6b7aa1ca9007bb04bb42349dda483ee7fd6a935dcf9379a979

Download Submit
memory/1500-12-0x00000249DE210000-0x00000249DE232000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads