quasar | ff62c26c8faf00f841ddeae1e095b8a65a9cb4e0d2a01879aaa8d767c4550cf8

Analysis

max time kernel
899s
max time network
431s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

79069701295f944d67c5f2e0213b3b9c
SHA1

589e8b6227ec6ef923f7eb8e4dc96797593f9535
SHA256

ff62c26c8faf00f841ddeae1e095b8a65a9cb4e0d2a01879aaa8d767c4550cf8
SHA512

472570fbf5ee21c05d9e40aaef32686b5f3f63eba93c7f3efdc23493e74017cea8b2a91a1ac7d8cdbc67fedb18f4dcae20c08fa3b6486807fa38d03dd2114f67
SSDEEP

49152:mvjI22SsaNYfdPBldt698dBcjHtqRJ6sbR3LoGdnTHHB72eh2NT:mvc22SsaNYfdPBldt6+dBcjHtqRJ62

Score

10^/10

quasar test-rat discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

test-rat

46.125.249.50:4782:4782

Mutex

e2bb43be-2392-4c93-9a3c-dcea173d5afd

Attributes

encryption_key
AE2F816185F134AF4E7D747D3E55802DE0F16A45
install_name
Virus-Rat.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Update
subdirectory
Rat-Test-cx

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/4740-1-0x0000000000F10000-0x0000000001234000-memory.dmp	family_quasar
behavioral1/files/0x000400000001e4e1-5.dat	family_quasar

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Virus-Rat.exe

Executes dropped EXE 64 IoCs

pid	Process
1384	Virus-Rat.exe
2964	Virus-Rat.exe
1940	Virus-Rat.exe
1920	Virus-Rat.exe
4064	Virus-Rat.exe
452	Virus-Rat.exe
4976	Virus-Rat.exe
4384	Virus-Rat.exe
2240	Virus-Rat.exe
3992	Virus-Rat.exe
1080	Virus-Rat.exe
3908	Virus-Rat.exe
4208	Virus-Rat.exe
2496	Virus-Rat.exe
3504	Virus-Rat.exe
5100	Virus-Rat.exe
1856	Virus-Rat.exe
3712	Virus-Rat.exe
1144	Virus-Rat.exe
1512	Virus-Rat.exe
3448	Virus-Rat.exe
5056	Virus-Rat.exe
2416	Virus-Rat.exe
2600	Virus-Rat.exe
4820	Virus-Rat.exe
1392	Virus-Rat.exe
3924	Virus-Rat.exe
3728	Virus-Rat.exe
2520	Virus-Rat.exe
3856	Virus-Rat.exe
1048	Virus-Rat.exe
4364	Virus-Rat.exe
1600	Virus-Rat.exe
784	Virus-Rat.exe
3776	Virus-Rat.exe
3692	Virus-Rat.exe
2608	Virus-Rat.exe
2712	Virus-Rat.exe
4496	Virus-Rat.exe
2236	Virus-Rat.exe
2304	Virus-Rat.exe
1072	Virus-Rat.exe
508	Virus-Rat.exe
4316	Virus-Rat.exe
4488	Virus-Rat.exe
3516	Virus-Rat.exe
4040	Virus-Rat.exe
2788	Virus-Rat.exe
2868	Virus-Rat.exe
1168	Virus-Rat.exe
4752	Virus-Rat.exe
2460	Virus-Rat.exe
1816	Virus-Rat.exe
1836	Virus-Rat.exe
2236	Virus-Rat.exe
208	Virus-Rat.exe
2684	Virus-Rat.exe
1380	Virus-Rat.exe
3092	Virus-Rat.exe
5048	Virus-Rat.exe
2140	Virus-Rat.exe
4936	Virus-Rat.exe
4000	Virus-Rat.exe
4108	Virus-Rat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1212	PING.EXE
3492	PING.EXE
3768	PING.EXE
4364	PING.EXE
4640	PING.EXE
4084	PING.EXE
1108	PING.EXE
3712	PING.EXE
3244	PING.EXE
4772	PING.EXE
4416	PING.EXE
388	PING.EXE
816	PING.EXE
4032	PING.EXE
4796	PING.EXE
1072	PING.EXE
5116	PING.EXE
60	PING.EXE
744	PING.EXE
4436	PING.EXE
4984	PING.EXE
344	PING.EXE
2936	PING.EXE
2336	PING.EXE
760	PING.EXE
1224	PING.EXE
3916	PING.EXE
2232	PING.EXE
1132	PING.EXE
2176	PING.EXE
3168	PING.EXE
880	PING.EXE
4512	PING.EXE
732	PING.EXE
3580	PING.EXE
2080	PING.EXE
3036	PING.EXE
3656	PING.EXE
2120	PING.EXE
2476	PING.EXE
3896	PING.EXE
3424	PING.EXE
3304	PING.EXE
4656	PING.EXE
1672	PING.EXE
3748	PING.EXE
4948	PING.EXE
4224	PING.EXE
3036	PING.EXE
3292	PING.EXE
2944	PING.EXE
4296	PING.EXE
4460	PING.EXE
1072	PING.EXE
1920	PING.EXE
396	PING.EXE
1392	PING.EXE
868	PING.EXE
3288	PING.EXE
4156	PING.EXE
3736	PING.EXE
4216	PING.EXE
5104	PING.EXE
3000	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
4640	PING.EXE
3036	PING.EXE
1152	PING.EXE
4656	PING.EXE
4296	PING.EXE
1340	PING.EXE
4984	PING.EXE
816	PING.EXE
3168	PING.EXE
4104	PING.EXE
4216	PING.EXE
4512	PING.EXE
4576	PING.EXE
3356	PING.EXE
1108	PING.EXE
3748	PING.EXE
744	PING.EXE
2476	PING.EXE
5004	PING.EXE
5116	PING.EXE
4032	PING.EXE
732	PING.EXE
760	PING.EXE
2944	PING.EXE
1852	PING.EXE
880	PING.EXE
2176	PING.EXE
3036	PING.EXE
3736	PING.EXE
3768	PING.EXE
3292	PING.EXE
4740	PING.EXE
1072	PING.EXE
1748	PING.EXE
3916	PING.EXE
396	PING.EXE
4860	PING.EXE
1132	PING.EXE
208	PING.EXE
3244	PING.EXE
868	PING.EXE
4796	PING.EXE
1072	PING.EXE
4376	PING.EXE
3564	PING.EXE
4084	PING.EXE
508	PING.EXE
4416	PING.EXE
3580	PING.EXE
4224	PING.EXE
388	PING.EXE
4108	PING.EXE
4948	PING.EXE
4436	PING.EXE
1392	PING.EXE
344	PING.EXE
60	PING.EXE
3304	PING.EXE
1672	PING.EXE
5104	PING.EXE
548	PING.EXE
1224	PING.EXE
3424	PING.EXE
1220	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1920	schtasks.exe
1304	schtasks.exe
4084	schtasks.exe
2752	schtasks.exe
4584	schtasks.exe
452	schtasks.exe
1100	schtasks.exe
760	schtasks.exe
3496	schtasks.exe
4644	schtasks.exe
3276	schtasks.exe
2396	schtasks.exe
4388	schtasks.exe
3236	schtasks.exe
4980	schtasks.exe
648	schtasks.exe
4156	schtasks.exe
1392	schtasks.exe
4024	schtasks.exe
5100	schtasks.exe
4400	schtasks.exe
4064	schtasks.exe
4340	schtasks.exe
4468	schtasks.exe
1196	schtasks.exe
4540	schtasks.exe
4580	schtasks.exe
2448	schtasks.exe
1852	schtasks.exe
4548	schtasks.exe
3896	schtasks.exe
1092	schtasks.exe
3768	schtasks.exe
2708	schtasks.exe
4136	schtasks.exe
3076	schtasks.exe
60	schtasks.exe
4272	schtasks.exe
4836	schtasks.exe
3696	schtasks.exe
3576	schtasks.exe
4476	schtasks.exe
556	schtasks.exe
4948	schtasks.exe
4920	schtasks.exe
4536	schtasks.exe
4972	schtasks.exe
4644	schtasks.exe
880	schtasks.exe
1668	schtasks.exe
4884	schtasks.exe
3032	schtasks.exe
1632	schtasks.exe
4952	schtasks.exe
4708	schtasks.exe
2556	schtasks.exe
2116	schtasks.exe
3236	schtasks.exe
4916	schtasks.exe
3200	schtasks.exe
3796	schtasks.exe
2524	schtasks.exe
5036	schtasks.exe
1508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4368	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	Client-built.exe
Token: SeDebugPrivilege	1384	Virus-Rat.exe
Token: SeDebugPrivilege	2964	Virus-Rat.exe
Token: SeDebugPrivilege	4368	taskmgr.exe
Token: SeSystemProfilePrivilege	4368	taskmgr.exe
Token: SeCreateGlobalPrivilege	4368	taskmgr.exe
Token: SeDebugPrivilege	1940	Virus-Rat.exe
Token: SeDebugPrivilege	1920	Virus-Rat.exe
Token: SeDebugPrivilege	4064	Virus-Rat.exe
Token: SeDebugPrivilege	452	Virus-Rat.exe
Token: SeDebugPrivilege	4976	Virus-Rat.exe
Token: SeDebugPrivilege	4384	Virus-Rat.exe
Token: SeDebugPrivilege	2240	Virus-Rat.exe
Token: SeDebugPrivilege	3992	Virus-Rat.exe
Token: SeDebugPrivilege	1080	Virus-Rat.exe
Token: SeDebugPrivilege	3908	Virus-Rat.exe
Token: SeDebugPrivilege	4208	Virus-Rat.exe
Token: SeDebugPrivilege	2496	Virus-Rat.exe
Token: SeDebugPrivilege	3504	Virus-Rat.exe
Token: SeDebugPrivilege	5100	Virus-Rat.exe
Token: SeDebugPrivilege	1856	Virus-Rat.exe
Token: SeDebugPrivilege	3712	Virus-Rat.exe
Token: SeDebugPrivilege	1144	Virus-Rat.exe
Token: SeDebugPrivilege	1512	Virus-Rat.exe
Token: SeDebugPrivilege	3448	Virus-Rat.exe
Token: SeDebugPrivilege	5056	Virus-Rat.exe
Token: SeDebugPrivilege	2416	Virus-Rat.exe
Token: SeDebugPrivilege	2600	Virus-Rat.exe
Token: SeDebugPrivilege	4820	Virus-Rat.exe
Token: SeDebugPrivilege	1392	Virus-Rat.exe
Token: SeDebugPrivilege	3924	Virus-Rat.exe
Token: SeDebugPrivilege	3728	Virus-Rat.exe
Token: SeDebugPrivilege	2520	Virus-Rat.exe
Token: SeDebugPrivilege	3856	Virus-Rat.exe
Token: SeDebugPrivilege	1048	Virus-Rat.exe
Token: SeDebugPrivilege	4364	Virus-Rat.exe
Token: SeDebugPrivilege	1600	Virus-Rat.exe
Token: SeDebugPrivilege	784	Virus-Rat.exe
Token: SeDebugPrivilege	3776	Virus-Rat.exe
Token: SeDebugPrivilege	3692	Virus-Rat.exe
Token: SeDebugPrivilege	2608	Virus-Rat.exe
Token: SeDebugPrivilege	2712	Virus-Rat.exe
Token: SeDebugPrivilege	4496	Virus-Rat.exe
Token: SeDebugPrivilege	2236	Virus-Rat.exe
Token: SeDebugPrivilege	2304	Virus-Rat.exe
Token: SeDebugPrivilege	1072	Virus-Rat.exe
Token: SeDebugPrivilege	508	Virus-Rat.exe
Token: SeDebugPrivilege	4316	Virus-Rat.exe
Token: SeDebugPrivilege	4488	Virus-Rat.exe
Token: SeDebugPrivilege	3516	Virus-Rat.exe
Token: SeDebugPrivilege	4040	Virus-Rat.exe
Token: SeDebugPrivilege	2788	Virus-Rat.exe
Token: SeDebugPrivilege	2868	Virus-Rat.exe
Token: SeDebugPrivilege	1168	Virus-Rat.exe
Token: SeDebugPrivilege	4752	Virus-Rat.exe
Token: SeDebugPrivilege	2460	Virus-Rat.exe
Token: SeDebugPrivilege	1816	Virus-Rat.exe
Token: SeDebugPrivilege	1836	Virus-Rat.exe
Token: SeDebugPrivilege	2236	Virus-Rat.exe
Token: SeDebugPrivilege	208	Virus-Rat.exe
Token: SeDebugPrivilege	2684	Virus-Rat.exe
Token: SeDebugPrivilege	1380	Virus-Rat.exe
Token: SeDebugPrivilege	3092	Virus-Rat.exe
Token: SeDebugPrivilege	5048	Virus-Rat.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 3796	4740	Client-built.exe	85
PID 4740 wrote to memory of 3796	4740	Client-built.exe	85
PID 4740 wrote to memory of 1384	4740	Client-built.exe	87
PID 4740 wrote to memory of 1384	4740	Client-built.exe	87
PID 1384 wrote to memory of 2764	1384	Virus-Rat.exe	88
PID 1384 wrote to memory of 2764	1384	Virus-Rat.exe	88
PID 1384 wrote to memory of 2328	1384	Virus-Rat.exe	90
PID 1384 wrote to memory of 2328	1384	Virus-Rat.exe	90
PID 2328 wrote to memory of 4732	2328	cmd.exe	92
PID 2328 wrote to memory of 4732	2328	cmd.exe	92
PID 2328 wrote to memory of 760	2328	cmd.exe	93
PID 2328 wrote to memory of 760	2328	cmd.exe	93
PID 2328 wrote to memory of 2964	2328	cmd.exe	104
PID 2328 wrote to memory of 2964	2328	cmd.exe	104
PID 2964 wrote to memory of 1920	2964	Virus-Rat.exe	108
PID 2964 wrote to memory of 1920	2964	Virus-Rat.exe	108
PID 2964 wrote to memory of 1696	2964	Virus-Rat.exe	111
PID 2964 wrote to memory of 1696	2964	Virus-Rat.exe	111
PID 1696 wrote to memory of 4580	1696	cmd.exe	113
PID 1696 wrote to memory of 4580	1696	cmd.exe	113
PID 1696 wrote to memory of 3356	1696	cmd.exe	114
PID 1696 wrote to memory of 3356	1696	cmd.exe	114
PID 1696 wrote to memory of 1940	1696	cmd.exe	123
PID 1696 wrote to memory of 1940	1696	cmd.exe	123
PID 1940 wrote to memory of 344	1940	Virus-Rat.exe	124
PID 1940 wrote to memory of 344	1940	Virus-Rat.exe	124
PID 1940 wrote to memory of 3748	1940	Virus-Rat.exe	127
PID 1940 wrote to memory of 3748	1940	Virus-Rat.exe	127
PID 3748 wrote to memory of 64	3748	cmd.exe	129
PID 3748 wrote to memory of 64	3748	cmd.exe	129
PID 3748 wrote to memory of 4640	3748	cmd.exe	130
PID 3748 wrote to memory of 4640	3748	cmd.exe	130
PID 3748 wrote to memory of 1920	3748	cmd.exe	134
PID 3748 wrote to memory of 1920	3748	cmd.exe	134
PID 1920 wrote to memory of 116	1920	Virus-Rat.exe	135
PID 1920 wrote to memory of 116	1920	Virus-Rat.exe	135
PID 1920 wrote to memory of 1972	1920	Virus-Rat.exe	138
PID 1920 wrote to memory of 1972	1920	Virus-Rat.exe	138
PID 1972 wrote to memory of 3060	1972	cmd.exe	140
PID 1972 wrote to memory of 3060	1972	cmd.exe	140
PID 1972 wrote to memory of 4984	1972	cmd.exe	141
PID 1972 wrote to memory of 4984	1972	cmd.exe	141
PID 1972 wrote to memory of 4064	1972	cmd.exe	143
PID 1972 wrote to memory of 4064	1972	cmd.exe	143
PID 4064 wrote to memory of 1852	4064	Virus-Rat.exe	144
PID 4064 wrote to memory of 1852	4064	Virus-Rat.exe	144
PID 4064 wrote to memory of 1616	4064	Virus-Rat.exe	147
PID 4064 wrote to memory of 1616	4064	Virus-Rat.exe	147
PID 1616 wrote to memory of 4372	1616	cmd.exe	149
PID 1616 wrote to memory of 4372	1616	cmd.exe	149
PID 1616 wrote to memory of 3036	1616	cmd.exe	150
PID 1616 wrote to memory of 3036	1616	cmd.exe	150
PID 1616 wrote to memory of 452	1616	cmd.exe	152
PID 1616 wrote to memory of 452	1616	cmd.exe	152
PID 452 wrote to memory of 660	452	Virus-Rat.exe	153
PID 452 wrote to memory of 660	452	Virus-Rat.exe	153
PID 452 wrote to memory of 1600	452	Virus-Rat.exe	156
PID 452 wrote to memory of 1600	452	Virus-Rat.exe	156
PID 1600 wrote to memory of 4260	1600	cmd.exe	158
PID 1600 wrote to memory of 4260	1600	cmd.exe	158
PID 1600 wrote to memory of 396	1600	cmd.exe	159
PID 1600 wrote to memory of 396	1600	cmd.exe	159
PID 1600 wrote to memory of 4976	1600	cmd.exe	161
PID 1600 wrote to memory of 4976	1600	cmd.exe	161

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3796
- C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
  "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
    3⤵
    PID:2764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o5ut1ZKWNc9n.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4732
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:760
  - - C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
      "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1920
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qNITi7mkZgOL.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1696
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4580
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:3356
      - C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        7⤵
        
        PID:344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WnXbfzHhFkro.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:64
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4640
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        9⤵
        
        PID:116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMP2FV7jlgJo.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4984
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yjtiikWghi9t.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3036
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        13⤵
        
        PID:660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GxS8GTJoqRm6.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4260
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:396
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tLzoWoiGTXVM.bat" "
        15⤵
        
        PID:1172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1072
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7E1NorHFNcr0.bat" "
        17⤵
        
        PID:2340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        Runs ping.exe
        
        PID:4860
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        19⤵
        
        PID:3576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fjnaJRNvqJZB.bat" "
        19⤵
        
        PID:2084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3036
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KwrlxlyyR2ti.bat" "
        21⤵
        
        PID:4560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3656
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u4pFs1VB3i1I.bat" "
        23⤵
        
        PID:556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:5100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1224
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0qhRm6RFPsOM.bat" "
        25⤵
        
        PID:1996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        Runs ping.exe
        
        PID:3564
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4208
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        27⤵
        
        PID:1852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3Cl5KNnPlAPU.bat" "
        27⤵
        
        PID:2572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5116
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        29⤵
        
        PID:4280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qS94VGEpB9bs.bat" "
        29⤵
        
        PID:3212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1392
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3504
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\533xHITsUlS4.bat" "
        31⤵
        
        PID:3924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2332
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        33⤵
        
        PID:1764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RJdxmeMQ4SW9.bat" "
        33⤵
        
        PID:5004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:4828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:388
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dn8Un1qLuiOF.bat" "
        35⤵
        
        PID:4844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1132
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3712
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        37⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ynUjBZSbG6JS.bat" "
        37⤵
        
        PID:936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:3104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:816
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        39⤵
        
        PID:1016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wJoierGNEU8Y.bat" "
        39⤵
        
        PID:1892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:2704
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4084
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        41⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9Shc3ZJnIySS.bat" "
        41⤵
        
        PID:2084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:1608
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1212
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        43⤵
        
        PID:3200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nArQVOLYhzLa.bat" "
        43⤵
        
        PID:4932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:3656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4772
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        45⤵
        
        PID:216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xeNwWD8aNNNK.bat" "
        45⤵
        
        PID:2968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:1616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        46⤵
        Runs ping.exe
        
        PID:4108
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        47⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIlAP5xzPYgE.bat" "
        47⤵
        
        PID:4712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:1168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        48⤵
        Runs ping.exe
        
        PID:508
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        49⤵
        
        PID:3104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AJqPallWYUI1.bat" "
        49⤵
        
        PID:2448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:4984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        50⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3292
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        51⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYc8cKRPRQFB.bat" "
        51⤵
        
        PID:3620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:64
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        52⤵
        Runs ping.exe
        
        PID:1152
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwcWjqp4j04g.bat" "
        53⤵
        
        PID:3584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:1108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        54⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3924
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        55⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PBaHdvCgfJk0.bat" "
        55⤵
        
        PID:3368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:4640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        56⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        57⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOpjPW3rzITo.bat" "
        57⤵
        
        PID:3736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:3544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        58⤵
        Runs ping.exe
        
        PID:1852
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        59⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcFuAlPee7Ry.bat" "
        59⤵
        
        PID:3352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:4564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4032
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3856
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        61⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:60
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tiY91pouirs8.bat" "
        61⤵
        
        PID:5116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:4884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        62⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:344
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        63⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSlTRhfBeOvO.bat" "
        63⤵
        
        PID:3864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        64⤵
        
        PID:3588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        64⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3424
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        65⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qx4QeBoXSCwF.bat" "
        65⤵
        
        PID:1008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        66⤵
        
        PID:2116
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        66⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3168
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        66⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        67⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJjCsXD9tNPa.bat" "
        67⤵
        
        PID:4636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        68⤵
        
        PID:2788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        68⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        68⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        69⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RtkSgWOexLbl.bat" "
        69⤵
        
        PID:2276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        70⤵
        
        PID:4236
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        70⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        70⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        71⤵
        
        PID:1356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9FeeqrlXiKv2.bat" "
        71⤵
        
        PID:368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        72⤵
        
        PID:4412
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        72⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4656
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        72⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        73⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p8aSC4JExbQL.bat" "
        73⤵
        
        PID:2108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        74⤵
        
        PID:1956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        74⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:60
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        74⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        75⤵
        
        PID:1104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C7T7k26sRwRQ.bat" "
        75⤵
        
        PID:4848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        76⤵
        
        PID:544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        76⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4416
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        76⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        77⤵
        
        PID:4500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8BbU3X6SGmHT.bat" "
        77⤵
        
        PID:4384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        78⤵
        
        PID:4020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        78⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3492
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        78⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        79⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCU7kIeE0Km3.bat" "
        79⤵
        
        PID:1536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        80⤵
        
        PID:2540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        80⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3304
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        80⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        81⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\THdmeQTh7hvP.bat" "
        81⤵
        
        PID:4580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        82⤵
        
        PID:4520
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        82⤵
        Runs ping.exe
        
        PID:4376
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        82⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        83⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OzV178P9bJ3O.bat" "
        83⤵
        
        PID:3320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        84⤵
        
        PID:388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        84⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        84⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        85⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l4fGFMjlHRim.bat" "
        85⤵
        
        PID:1852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        86⤵
        
        PID:2684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        86⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3736
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        86⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:508
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        87⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d70ET8bKJK82.bat" "
        87⤵
        
        PID:1568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        88⤵
        
        PID:924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        88⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3768
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        88⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        89⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3IidPMWCrbpK.bat" "
        89⤵
        
        PID:3292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        90⤵
        
        PID:2744
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        90⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3288
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        90⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        91⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i0AjtQTLijQ3.bat" "
        91⤵
        
        PID:452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        92⤵
        
        PID:3268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        92⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1108
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        92⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3516
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        93⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fhEq9MSH2kMf.bat" "
        93⤵
        
        PID:2540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        94⤵
        
        PID:1748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        94⤵
        Runs ping.exe
        
        PID:4104
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        94⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4040
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        95⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zy4fKiwkvcdr.bat" "
        95⤵
        
        PID:4420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        96⤵
        
        PID:4740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        96⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3748
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        96⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        97⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7Q43tKMVaSKl.bat" "
        97⤵
        
        PID:2708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        98⤵
        
        PID:1032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        98⤵
        Runs ping.exe
        
        PID:208
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        98⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        99⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ahXR3yC6HQ4Q.bat" "
        99⤵
        
        PID:4108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        100⤵
        
        PID:2032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        100⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:880
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        100⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        101⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W80omqa2uag2.bat" "
        101⤵
        
        PID:5020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        102⤵
        
        PID:844
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        102⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4216
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        102⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        103⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tsGeDtX6YPOY.bat" "
        103⤵
        
        PID:2608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        104⤵
        
        PID:2744
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        104⤵
        Runs ping.exe
        
        PID:1220
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        104⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        105⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vzrqh3vDiI7g.bat" "
        105⤵
        
        PID:868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        106⤵
        
        PID:1564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        106⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4296
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        106⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        107⤵
        
        PID:2712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IeR0dgqBFnqF.bat" "
        107⤵
        
        PID:2036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        108⤵
        
        PID:2884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        108⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        108⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        109⤵
        
        PID:3036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tNXbgquiGwRs.bat" "
        109⤵
        
        PID:3304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        110⤵
        
        PID:1764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        110⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4460
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        110⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        111⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H0ZAEdgM9B2I.bat" "
        111⤵
        
        PID:3500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        112⤵
        
        PID:2612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        112⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        112⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:208
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        113⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCJ2DsRGCSWF.bat" "
        113⤵
        
        PID:4828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        114⤵
        
        PID:4768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        114⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:744
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        114⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        115⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t3VbdwoWnDjf.bat" "
        115⤵
        
        PID:976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        116⤵
        
        PID:2324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        116⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4512
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        116⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        117⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkUA0OYaNTlQ.bat" "
        117⤵
        
        PID:1176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        118⤵
        
        PID:3344
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        118⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        118⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3092
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        119⤵
        
        PID:2956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EGa6nnDM1KL8.bat" "
        119⤵
        
        PID:3248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        120⤵
        
        PID:3864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        120⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:732
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        120⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        121⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuG6pDpnt3qq.bat" "
        121⤵
        
        PID:4456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        122⤵
        
        PID:2136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        122⤵
        Runs ping.exe
        
        PID:4576
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        122⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        123⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYRRU3RLFMto.bat" "
        123⤵
        
        PID:4560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        124⤵
        
        PID:4048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        124⤵
        Runs ping.exe
        
        PID:4740
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        124⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4936
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        125⤵
        
        PID:2556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TcqefKslEwC1.bat" "
        125⤵
        
        PID:116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        126⤵
        
        PID:2820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        126⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4948
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        126⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        127⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bI4DWJwzdNM4.bat" "
        127⤵
        
        PID:1172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        128⤵
        
        PID:2276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        128⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1072
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        128⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4108
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        129⤵
        
        PID:4292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h6jnb47ylKdT.bat" "
        129⤵
        
        PID:3592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        130⤵
        
        PID:1400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        130⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5104
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        130⤵
        Checks computer location settings
        
        PID:3552
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        131⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\67hPrzYjYloD.bat" "
        131⤵
        
        PID:4840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        132⤵
        
        PID:3300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        132⤵
        Runs ping.exe
        
        PID:1340
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        132⤵
        Checks computer location settings
        
        PID:4760
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        133⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4dHEYSLsvyHn.bat" "
        133⤵
        
        PID:1052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        134⤵
        
        PID:1804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        134⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3580
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        134⤵
        
        PID:736
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        135⤵
        
        PID:3908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BX0R1CaW52CN.bat" "
        135⤵
        
        PID:1520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        136⤵
        
        PID:2712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        136⤵
        Runs ping.exe
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        136⤵
        
        PID:3216
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        137⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qFDycEDbJokB.bat" "
        137⤵
        
        PID:840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        138⤵
        
        PID:2036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        138⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        138⤵
        Checks computer location settings
        
        PID:5108
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        139⤵
        
        PID:4444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HTEeQ0m8XDH6.bat" "
        139⤵
        
        PID:3340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        140⤵
        
        PID:3916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        140⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4156
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        140⤵
        Checks computer location settings
        
        PID:2044
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        141⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AeDasgRWoW1G.bat" "
        141⤵
        
        PID:4976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        142⤵
        
        PID:3496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        142⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3896
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        142⤵
        
        PID:4000
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        143⤵
        
        PID:4548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fWT9gFouKNcY.bat" "
        143⤵
        
        PID:3144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        144⤵
        
        PID:956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        144⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3712
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        144⤵
        Checks computer location settings
        
        PID:4556
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        145⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cDAQa6HGLo7k.bat" "
        145⤵
        
        PID:4980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        146⤵
        
        PID:2832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        146⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4224
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        146⤵
        Checks computer location settings
        
        PID:4840
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        147⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryVUczFLD6Ij.bat" "
        147⤵
        
        PID:660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        148⤵
        
        PID:4080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        148⤵
        Runs ping.exe
        
        PID:548
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        148⤵
        Checks computer location settings
        
        PID:1696
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        149⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uJjI930kMmDL.bat" "
        149⤵
        
        PID:4272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        150⤵
        
        PID:2268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        150⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3244
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        150⤵
        Checks computer location settings
        
        PID:3456
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        151⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h5JrGihWBWec.bat" "
        151⤵
        
        PID:4664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        152⤵
        
        PID:1108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        152⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        152⤵
        
        PID:536
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        153⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\njo7AO3eRALP.bat" "
        153⤵
        
        PID:4444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        154⤵
        
        PID:556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        154⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3916
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        154⤵
        Checks computer location settings
        
        PID:2396
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        155⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dXpfDB2R6jC6.bat" "
        155⤵
        
        PID:2984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        156⤵
        
        PID:1032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        156⤵
        Runs ping.exe
        
        PID:5004
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        156⤵
        
        PID:4704
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        157⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HHhQkdkoN5Ke.bat" "
        157⤵
        
        PID:5064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        158⤵
        
        PID:4588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        158⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        158⤵
        
        PID:744
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        159⤵
        
        PID:4332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FYCu9zQRxipi.bat" "
        159⤵
        
        PID:3776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        160⤵
        
        PID:4388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        160⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        160⤵
        Checks computer location settings
        
        PID:2772
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        161⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3tLb2y35IFfL.bat" "
        161⤵
        
        PID:2920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        162⤵
        
        PID:4400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        162⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2080
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        162⤵
        Checks computer location settings
        
        PID:4080
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        163⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zal2AgYjLwjM.bat" "
        163⤵
        
        PID:2348
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        164⤵
        
        PID:600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        164⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:868
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        164⤵
        Checks computer location settings
        
        PID:3516
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        165⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kv841cPHVBFQ.bat" "
        165⤵
        
        PID:4576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        166⤵
        
        PID:3036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        166⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4796
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        166⤵
        Checks computer location settings
        
        PID:2036
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        167⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pExqWexviIAg.bat" "
        167⤵
        
        PID:3828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        168⤵
        
        PID:528
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        168⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4364
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        168⤵
        Checks computer location settings
        
        PID:4924
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        169⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZdJRfUgg9VTN.bat" "
        169⤵
        
        PID:4156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        170⤵
        
        PID:3500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        170⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2232
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        170⤵
        Checks computer location settings
        
        PID:1944
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        171⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4q4tFBgQBssz.bat" "
        171⤵
        
        PID:3568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        172⤵
        
        PID:3988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        172⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        172⤵
        Checks computer location settings
        
        PID:1644
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        173⤵
        
        PID:1956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dn5enguTuTb8.bat" "
        173⤵
        
        PID:3592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        174⤵
        
        PID:1400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        174⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        174⤵
        Checks computer location settings
        
        PID:1004
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        175⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2jjAgEPAUfcR.bat" "
        175⤵
        
        PID:3396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        176⤵
        
        PID:4712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        176⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        176⤵
        Checks computer location settings
        
        PID:3588
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        177⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\63fwovVwHP1p.bat" "
        177⤵
        
        PID:2080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        178⤵
        
        PID:3268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        178⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4436

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Virus-Rat.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0qhRm6RFPsOM.bat

Filesize
215B

MD5
42e22d4312ef9c26bcd0a74d7dc12f30

SHA1
ead512e94fa5de3fe4035a6fa868d4224f0dc0f4

SHA256
1b4d9c92c700fbce673322e4c238aeb3923852a113fdace216ffbad38c229e15

SHA512
e9f438de56a3a2050bea9aa1c02c00e3337fff62e3528c71827b771327d691ad727c086853bd164b08bf7a61a81f3078755afa1d7f299a394374084b039972f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Cl5KNnPlAPU.bat

Filesize
215B

MD5
df1512caeb5a5f2758768af36a759ae5

SHA1
2d777eef48c0cf483a1ec156f46493dfd97af889

SHA256
43d67fe19eee59fa527bed51578a639cc38743d9ca7bc4d119d64c4f2f24932f

SHA512
c60f2d06afefc5891b957a0ecfbdadfb35941a6b4c5f8291511334e8e56e0483bebb07391e8dbce2482758b7b6850d805be96990460ac76a1e38c9e158b0b453

Download Submit
C:\Users\Admin\AppData\Local\Temp\533xHITsUlS4.bat

Filesize
215B

MD5
ed43d9eecc7c4f89f19d9590535b4644

SHA1
efb8b3824eabb3736093bbf544d25cdb1230d5bb

SHA256
3246b86444152a3ea35e612723ec08291522aecc3bf5b86705aad1c2eddbe4a9

SHA512
5599f7947ae62e2fb3d2ae8479d83a2ef406fca8c7029b6251516576301e9dc250ae3650d8a681ecf877a978327d5838799cbb19851528dce1d35ff52c3e836f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E1NorHFNcr0.bat

Filesize
215B

MD5
64782df562175e661e2c28a5181ee691

SHA1
cfa297c79f21c53c1e7838140ea6dbbcbfd9c451

SHA256
0d443b3413999526ce005b246b05299f8e7fb6bb7dbc3db86c04e53045691fd4

SHA512
856904c2ac5dacda82caf7dd42871d6dfad13086546c82bb89f476fe32853f7d070ecfd38877d0398a4f532e29c73400f3a535e89b2b69124ebd31723743d8ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Shc3ZJnIySS.bat

Filesize
215B

MD5
5983eeaef9b08639714cb267b9285511

SHA1
6769f363bc32697a5530fc6463c7999658727d8a

SHA256
af219db88913d3d453399f7785959dfab79593ca73af9aa0ebf111a0aaffff51

SHA512
b3fa4c7b77dbfd1ed2bf8ca0ad748599bfd98eca99df93f523d8cdd44b42fb1058cb938fd1ed550db59790328a4fe53d26b0d99534b9f701fe19a56c7b898e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJqPallWYUI1.bat

Filesize
215B

MD5
31689901b6450acf1a3f5ef900da5d34

SHA1
91003256a274c02cc65f866531906155c996dba1

SHA256
c77f16ec60b9da9792a1f1d1464eed30e0a18d8fe1bbdf17277b418737d01135

SHA512
dbb9f52b8c2adf96384783e4813ebbbce1e265f0e473dc765d2c9b20eda52df67a06a10b5fe6be6700b408b9f75c7e518a176f1c387dce1e6a2bd48e997730a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GxS8GTJoqRm6.bat

Filesize
215B

MD5
d28454038c32996acc779bf7a761df6d

SHA1
39c6f9108815e4c9adfff9e18a774aead1d8e4bc

SHA256
40306f697145bb09ee0d97110e43b3cb08749c48b310a6676a19c96426700062

SHA512
f85913711fa4814682ad7b2bc8ff241a989c6726144cee1974742dc0e67e8e7202a4ce41f797e2919a110658b1567e4f44b3ecb8cd594c40cf0d72dca07a86cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\JSlTRhfBeOvO.bat

Filesize
215B

MD5
a9164c7f225530fd8eeb7184f85c5fc4

SHA1
734f6bb02bc399185b542d4cda972dde1219686f

SHA256
0693a5924099b7c8090b2608d7ebe6eb78951795f80601872cf1a26fd14410fa

SHA512
6ce8d1914e9cd799e6edbb49de3ca2215e52e72e117e245a2566b13af21121e65f326f5ce0c285d6cf2c88e3f5fbb674647c83fb531374fe11e100dda32206ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwrlxlyyR2ti.bat

Filesize
215B

MD5
094f82e92760ebd9be84b0c6da4ef81e

SHA1
6c8b009fa488357aa5429c6b2a7f51d15a6e5bab

SHA256
6c52b9f5c5750618ed5d2b7a33646e0c5fb6c92c42ad0226567093e389e714c9

SHA512
804e3873c0ffac8f3aaa6b9d4c73c843a6b332fbb30cf20c2db636b4b574cb20229114d33e371e7cf99ae2d38ea2e49101347a35bd07104fc798dff67edf954b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PBaHdvCgfJk0.bat

Filesize
215B

MD5
ff87b4df405ee6089edf70d9c1005205

SHA1
f6ce0a744e4f02a5b12aee39145e32b7b5c966cc

SHA256
810cd7ad7fa5b226377627cba841444edc6f1a93771b270a6fcdacba35a96c39

SHA512
0a3be0483f516cc0055323ea4dc353d4c065ef7a627927a213d30795bb9514f38718a009f4a2d59b27cfbcf123f109df5ab392744a2125d21b42289ffde6f001

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYc8cKRPRQFB.bat

Filesize
215B

MD5
354ee46d137b04aa6fa4107def76f6c7

SHA1
dae280397666e48c486edba5c5d23fabdfdbb35e

SHA256
d7b6f602913ad3ed3ae0dad1a2464f8cae68c66bb0b544bcd2c63caab61d0747

SHA512
e15ffa755e8c23c502718d6ef464fcee9800bc8227f3e08cbdf317c6d88cf1c99fbc23b699bb1be81eaf0bb39b314d607e4c869ac0e0ba0f71a6479a5d52261c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RJdxmeMQ4SW9.bat

Filesize
215B

MD5
d5ff334758b4bdc450c03be5a3d082fd

SHA1
988c9ce0357825682538affce017374de5b16e6d

SHA256
608f258e99df7b04b8d2c7c44c5d0ecae28536d87142c80cc8b66294caae7599

SHA512
b5f42d0c4e91bb5ad5e0453f2b2e2413dfbb229c8807aadcfab2a70d72de5f6a741f16e3c9912215c8d061fc27fce723168421e429addb90e57abf9135901c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RcFuAlPee7Ry.bat

Filesize
215B

MD5
e3c449194b847177c29c1ef9b9f97343

SHA1
2bc034cac743c705d5e0f37680ce3a21551847a7

SHA256
ed82e7de7a149e19ff8435dd71ab9fae95dc8feb44c222616b57a0feca9c8e60

SHA512
dacb6b71e7b4b0d95eb159ab2c4674e4fe24c93449950abd7288bc5341b9b3f778a1757aa3134f408ded854351ec2f649ff9c34d4f111277a26454115db20d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\VwcWjqp4j04g.bat

Filesize
215B

MD5
a955dfa3da9ac4d2b7642344a7e79ae0

SHA1
503e0fb3db8e12d982abc27427cbf5b175569dcd

SHA256
b35056db178bf2b4c95780f153d2c50986d55019ddc30dbd9c204c2daa9326bf

SHA512
1c0c5aaa3c9571a84d2a399a98c08788bd50dc0afe15810e043fbfb851d6e3c155f315cd672941fa2d6b8da15d9ffb0cecebc880de75d3322607b9fc5fe167b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WnXbfzHhFkro.bat

Filesize
215B

MD5
8c3c6e9c00516a107bd28962a2476347

SHA1
538931bf380bcdda45511ac3d3aafa456abf7686

SHA256
fede4e60d4ea3b64364af159a41cde840aa1c1b450d368d7e41298ade8df205c

SHA512
1a7ab245a4dab1df94ae2b976a251f172db51f580e323f060fc0ec5569fdc543e63889f60f273ba33500c912ed0d79d3bbbba531e5f10495114aff86ad072361

Download Submit
C:\Users\Admin\AppData\Local\Temp\aOpjPW3rzITo.bat

Filesize
215B

MD5
1240b809855f7a6228703ef2febefb4d

SHA1
22d3623f8ef747dc0c30dd789329f5bff6918912

SHA256
9339f1711f9f7f163dee6bd1fcd5da353619a3e623d38282ea0f78604e8775f0

SHA512
560812ade2ea056a5f6573035ec9fb99b9f86c1932373b44c274be262314849e5e332e4100073fb1ffa9ade155d8b7055f21d814ef1fbaf6d2de1a5d4a3b9776

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIlAP5xzPYgE.bat

Filesize
215B

MD5
4d3b912bb7bda3aba2ce0bcbfc259526

SHA1
0c285f7d6da6006fb38d77e18004e33cf33484fc

SHA256
51bc0b273b807c0301730e095217c518896df5a2aa2c26fb49c3bbc67cfa2238

SHA512
661d9cb3d2831567dbf272489308ef04097d3b59b8ea95691be04163e5b52ae3fa0459e0143d618dbeec1732c774c298644303324c227718a6d96bb7c1547959

Download Submit
C:\Users\Admin\AppData\Local\Temp\dn8Un1qLuiOF.bat

Filesize
215B

MD5
4fde4f6f8ee9e0f5a1d39902e5b57039

SHA1
a6bcfa95b4de2b383162ca8ee45788369ad1d541

SHA256
629d16258d4006596964b472ce4f5cb9fe1da503bbfb288d13f091b7118da101

SHA512
1efc0958fbcf56f000138afea5d8423f38e93d80e48cfc0cb1cfe27bc26319d40d2c9f7d582ea951952ff09b68d77ecab1c25cfa28a3a4f0d42afd9e495d834e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjnaJRNvqJZB.bat

Filesize
215B

MD5
42855c14a024589f19bd21b87d1f9f97

SHA1
ede36fa71f877c49f91c012422a1d63a577dfb9e

SHA256
6a26095f41e61731774c9813f1934832795862a754057dfb9f1efe65b7e4e2b2

SHA512
d3aafd91dab5d91cc1c2b85cfb174f8ba1a4413695929e6f3866c691703721f4761650df27c74716cd30c4c86d5f74025f301f914531158e01523f902555826a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nArQVOLYhzLa.bat

Filesize
215B

MD5
34c9e89f3321a8d241d6f2937324ae76

SHA1
8ee331fd1d995a8a8fcaa06d21090e3182eae04b

SHA256
b60ebd1d88809972750c6c0c53bdd70b01afdd9dbc4743df396c10eabd02bc99

SHA512
ddd9e8c6598e9155dfc2ce3b5022a5fa624732330b7918eaa30671eb4f613f050bd1fdcb8c00ca888abb969a5c2d365d0b530c30b2f3aa32b58af5927b7c53d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\o5ut1ZKWNc9n.bat

Filesize
215B

MD5
461e5e3c3647cd7fa8e0de8c1cdd5060

SHA1
1f47d6c37e448978ef1fe80e37b062dac74d75e4

SHA256
48db831ae3eadd2b69ae22f51bf252d50eae5c97376f31c4201c8ba9f1ef450e

SHA512
c8125f994244647130d5f774414ba8df21c4f3865cc587ec488e5adab98a1245e6019f8b6f1cf04fd738d4ad429b5222ca4b0c1d00ca2be0d5658767465245c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qNITi7mkZgOL.bat

Filesize
215B

MD5
70e0063564bc2bfc72101e9537fce720

SHA1
a4bdd7e0770eca9f71e534c027241c924241a364

SHA256
f48721e92eff4708dc51796f3ef3508214fecea90e6d0fca40a2a12ba82ca06f

SHA512
9f361814b0d82a5a97eebe259ea46313717260dc1f8bb070c93ebb1fd6386eecb6ec76b1f7916ec7fbf29e2d95557aaac4285c6e403448db36e1197281ec45a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qS94VGEpB9bs.bat

Filesize
215B

MD5
d3a125742a22bdb6134900513207c5ce

SHA1
2699d98c1de0cfb2cf361c6a9e395a11d51641d3

SHA256
93301d5ebba6bab7879f9e711f94590d3fa652b9e834132033b6befa798f8ed4

SHA512
96d65705b5bce6866b43b72fb5ea21c49eee497b25c1eecfa8a93f840a42a83b561fc77a8f17e0b66a332ca9c59cd8c1b884c140b7f4f1b09188e7707bd60d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\tLzoWoiGTXVM.bat

Filesize
215B

MD5
440b45c85dfca3a2b15480521aa925f2

SHA1
e3ff1795278a2a5ec623fede29f56d6690c2c06f

SHA256
1c791eb25182c2edcb5d9998ba9c8d0865bf4e1b3b4da2183ee0997273042790

SHA512
5f6a72c0d5855901d736165b1a436145f6cdcc2f2d0b9391c9e27a7784a1bf58b970028f6648499b82fa524faf19bbc2beeaa70ed4cc1f7a31176f6e49974487

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiY91pouirs8.bat

Filesize
215B

MD5
b9ca4da96ab617d6cd470612aa446368

SHA1
5cd23b43ee6b33e8e04a520b3823fb4117a96a9e

SHA256
58e795ea18908753614a08e673d01661f622172c05fde0e0b29d88096e69833f

SHA512
6d8ce223a68bb071a84aa42815ff0a414d9ce01302cef6c9eabc47c84889b5af1315eb0dc5974ecdc459ba32c5d83ebfe325f6bb2ee015a4eef9b2d23e37cada

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4pFs1VB3i1I.bat

Filesize
215B

MD5
d03a4f987c246d4dedce3c0b41555f7f

SHA1
60c671dbab08fe0ce660518bb3bad21b730a42fb

SHA256
84e5ddc1f12a2dfc861780fc452917a1ea6c04f8f3a60d57b1c198bdd7a40a22

SHA512
559aeb6ca901ad3a00263c2fe1820dd659a7ac5515db19cdd02f5d54d9cc4dc5d5692535b9541c19da168d30dc9d18f7f85fbb721bde91df886585cf90576114

Download Submit
C:\Users\Admin\AppData\Local\Temp\wJoierGNEU8Y.bat

Filesize
215B

MD5
8d8798105228f28947cb9b909cb0b95f

SHA1
8ca52841b7845912c9d73309e8327feda4cd14c1

SHA256
06298327c88182427ac7f38a32f2a47efb80da9d12cce039361ed02b3e33d299

SHA512
1ffe9145aed52cfb4b80bfb7f061ac412c132a334e078a320538bca2019a9e76092aa3425c4c544d7dccfeb18f23fe3cff58a85e1bc59a7f34742baba7473109

Download Submit
C:\Users\Admin\AppData\Local\Temp\xeNwWD8aNNNK.bat

Filesize
215B

MD5
1c39d340a60fb06e4698f59d0ca2bdb7

SHA1
b83268e80c90d90f57653868857100a1388089a5

SHA256
b828f52b8a026e15b12e0c1c845c18f3accc4cce96e26d393560fb48aeb464c9

SHA512
0f0a6fbb09758f8ec8a43442385ae4132947cdfb22d67072cec00f4e0bab93c35c1ed72b7dec0920ac18c2ee2c2f64994ffe0633ea2c16e7d89f6710be065919

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjtiikWghi9t.bat

Filesize
215B

MD5
7169805342e81debb9be6bc5cce77829

SHA1
a5a1b576e6ff4d500647c28cf9153179fd7b87cf

SHA256
a4fb1109f93905b737e2e35e68a4b109278dc4c7477ff807a391cd3b4fecfed1

SHA512
0dd8f56ca799179ced0e9ac701baa5f666775830aed10b63eadb7e90656cf9e5e3f0f5b8bd8dc47aa5da66e674d255889d693797d5c20db4aa8dd65e42529e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\ynUjBZSbG6JS.bat

Filesize
215B

MD5
6a9410860cf81908b3cb2b84fc40fb59

SHA1
63078e639756ad016176e7a18392160815c77953

SHA256
e767715894e0ffe22f1ca094a4316aa223da4dde21194da664b468c0381cd637

SHA512
1a6e450c12d5e988c1daf80e6a6dbaef00bad1608914f64766d573688e239efe5ffa7367944629514c0477e62fd3efcb095cf0aaa106fc8c31a83da5bf48f43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zMP2FV7jlgJo.bat

Filesize
215B

MD5
00b3267623d6dc49b1a074e7afe81485

SHA1
29ad0789bc622b2c856783d61cffc7966de87963

SHA256
1e404df539d254f1ff3c8251d178fd3bbe07ce6e6d7143c60ea350de563c6eef

SHA512
f60f2516ea4f1a9fc2d6ce34a892af462bb76580bb2f810f807e801c401cc4eb787189dd25179d5a12b767f36546ccfa9a2d3c8bcc24509330d94ec8f297640c

Download Submit
C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe

Filesize
3.1MB

MD5
79069701295f944d67c5f2e0213b3b9c

SHA1
589e8b6227ec6ef923f7eb8e4dc96797593f9535

SHA256
ff62c26c8faf00f841ddeae1e095b8a65a9cb4e0d2a01879aaa8d767c4550cf8

SHA512
472570fbf5ee21c05d9e40aaef32686b5f3f63eba93c7f3efdc23493e74017cea8b2a91a1ac7d8cdbc67fedb18f4dcae20c08fa3b6486807fa38d03dd2114f67

Download Submit
memory/1384-8-0x00007FFD64AA0000-0x00007FFD65561000-memory.dmp

Filesize
10.8MB

Download
memory/1384-10-0x00007FFD64AA0000-0x00007FFD65561000-memory.dmp

Filesize
10.8MB

Download
memory/1384-11-0x00000000024C0000-0x0000000002510000-memory.dmp

Filesize
320KB

Download
memory/1384-12-0x000000001B930000-0x000000001B9E2000-memory.dmp

Filesize
712KB

Download
memory/1384-17-0x00007FFD64AA0000-0x00007FFD65561000-memory.dmp

Filesize
10.8MB

Download
memory/4368-36-0x000001B9DA860000-0x000001B9DA861000-memory.dmp

Filesize
4KB

Download
memory/4368-35-0x000001B9DA860000-0x000001B9DA861000-memory.dmp

Filesize
4KB

Download
memory/4368-27-0x000001B9DA860000-0x000001B9DA861000-memory.dmp

Filesize
4KB

Download
memory/4368-25-0x000001B9DA860000-0x000001B9DA861000-memory.dmp

Filesize
4KB

Download
memory/4368-26-0x000001B9DA860000-0x000001B9DA861000-memory.dmp

Filesize
4KB

Download
memory/4368-32-0x000001B9DA860000-0x000001B9DA861000-memory.dmp

Filesize
4KB

Download
memory/4368-37-0x000001B9DA860000-0x000001B9DA861000-memory.dmp

Filesize
4KB

Download
memory/4368-31-0x000001B9DA860000-0x000001B9DA861000-memory.dmp

Filesize
4KB

Download
memory/4368-34-0x000001B9DA860000-0x000001B9DA861000-memory.dmp

Filesize
4KB

Download
memory/4368-33-0x000001B9DA860000-0x000001B9DA861000-memory.dmp

Filesize
4KB

Download
memory/4740-9-0x00007FFD64AA0000-0x00007FFD65561000-memory.dmp

Filesize
10.8MB

Download
memory/4740-0-0x00007FFD64AA3000-0x00007FFD64AA5000-memory.dmp

Filesize
8KB

Download
memory/4740-2-0x00007FFD64AA0000-0x00007FFD65561000-memory.dmp

Filesize
10.8MB

Download
memory/4740-1-0x0000000000F10000-0x0000000001234000-memory.dmp

Filesize
3.1MB

Download