quasar | ff62c26c8faf00f841ddeae1e095b8a65a9cb4e0d2a01879aaa8d767c4550cf8

Analysis

max time kernel
899s
max time network
440s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
15-01-2025 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

79069701295f944d67c5f2e0213b3b9c
SHA1

589e8b6227ec6ef923f7eb8e4dc96797593f9535
SHA256

ff62c26c8faf00f841ddeae1e095b8a65a9cb4e0d2a01879aaa8d767c4550cf8
SHA512

472570fbf5ee21c05d9e40aaef32686b5f3f63eba93c7f3efdc23493e74017cea8b2a91a1ac7d8cdbc67fedb18f4dcae20c08fa3b6486807fa38d03dd2114f67
SSDEEP

49152:mvjI22SsaNYfdPBldt698dBcjHtqRJ6sbR3LoGdnTHHB72eh2NT:mvc22SsaNYfdPBldt6+dBcjHtqRJ62

Score

10^/10

quasar test-rat discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

test-rat

46.125.249.50:4782:4782

Mutex

e2bb43be-2392-4c93-9a3c-dcea173d5afd

Attributes

encryption_key
AE2F816185F134AF4E7D747D3E55802DE0F16A45
install_name
Virus-Rat.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Update
subdirectory
Rat-Test-cx

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/892-1-0x00000000004E0000-0x0000000000804000-memory.dmp	family_quasar
behavioral2/files/0x001b00000002aab2-5.dat	family_quasar

Executes dropped EXE 64 IoCs

pid	Process
2324	Virus-Rat.exe
4212	Virus-Rat.exe
2764	Virus-Rat.exe
3604	Virus-Rat.exe
456	Virus-Rat.exe
5068	Virus-Rat.exe
5012	Virus-Rat.exe
4168	Virus-Rat.exe
2404	Virus-Rat.exe
2076	Virus-Rat.exe
1040	Virus-Rat.exe
5112	Virus-Rat.exe
3136	Virus-Rat.exe
1072	Virus-Rat.exe
1140	Virus-Rat.exe
3444	Virus-Rat.exe
836	Virus-Rat.exe
1204	Virus-Rat.exe
3548	Virus-Rat.exe
3108	Virus-Rat.exe
1484	Virus-Rat.exe
1540	Virus-Rat.exe
2104	Virus-Rat.exe
1564	Virus-Rat.exe
2728	Virus-Rat.exe
3084	Virus-Rat.exe
5088	Virus-Rat.exe
4700	Virus-Rat.exe
3952	Virus-Rat.exe
2804	Virus-Rat.exe
1456	Virus-Rat.exe
3440	Virus-Rat.exe
4336	Virus-Rat.exe
1096	Virus-Rat.exe
3420	Virus-Rat.exe
1180	Virus-Rat.exe
1784	Virus-Rat.exe
4812	Virus-Rat.exe
536	Virus-Rat.exe
1040	Virus-Rat.exe
5080	Virus-Rat.exe
1964	Virus-Rat.exe
856	Virus-Rat.exe
4796	Virus-Rat.exe
1464	Virus-Rat.exe
3992	Virus-Rat.exe
2728	Virus-Rat.exe
2460	Virus-Rat.exe
4968	Virus-Rat.exe
808	Virus-Rat.exe
4752	Virus-Rat.exe
1960	Virus-Rat.exe
4588	Virus-Rat.exe
4788	Virus-Rat.exe
4336	Virus-Rat.exe
1692	Virus-Rat.exe
3980	Virus-Rat.exe
1648	Virus-Rat.exe
1032	Virus-Rat.exe
2392	Virus-Rat.exe
3540	Virus-Rat.exe
2092	Virus-Rat.exe
2628	Virus-Rat.exe
5100	Virus-Rat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
580	PING.EXE
2700	PING.EXE
2616	PING.EXE
232	PING.EXE
4600	PING.EXE
464	PING.EXE
2884	PING.EXE
3920	PING.EXE
4652	PING.EXE
1236	PING.EXE
3120	PING.EXE
3956	PING.EXE
1724	PING.EXE
3760	PING.EXE
2108	PING.EXE
3996	PING.EXE
4956	PING.EXE
3464	PING.EXE
3876	PING.EXE
3288	PING.EXE
2368	PING.EXE
892	PING.EXE
860	PING.EXE
4952	PING.EXE
1452	PING.EXE
1216	PING.EXE
3520	PING.EXE
1908	PING.EXE
1236	PING.EXE
1124	PING.EXE
2924	PING.EXE
2520	PING.EXE
3864	PING.EXE
2808	PING.EXE
2280	PING.EXE
1540	PING.EXE
3692	PING.EXE
2948	PING.EXE
2804	PING.EXE
3140	PING.EXE
4660	PING.EXE
764	PING.EXE
2164	PING.EXE
3408	PING.EXE
2708	PING.EXE
3344	PING.EXE
232	PING.EXE
3568	PING.EXE
3100	PING.EXE
2764	PING.EXE
2820	PING.EXE
4108	PING.EXE
3292	PING.EXE
1268	PING.EXE
660	PING.EXE
3356	PING.EXE
1484	PING.EXE
1884	PING.EXE
3620	PING.EXE
2656	PING.EXE
3128	PING.EXE
2320	PING.EXE
2968	PING.EXE
1788	PING.EXE

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
1840	PING.EXE
3716	PING.EXE
1216	PING.EXE
4308	PING.EXE
1908	PING.EXE
2968	PING.EXE
1884	PING.EXE
1452	PING.EXE
464	PING.EXE
1540	PING.EXE
1004	PING.EXE
3876	PING.EXE
3996	PING.EXE
2948	PING.EXE
3140	PING.EXE
4660	PING.EXE
3288	PING.EXE
4108	PING.EXE
2708	PING.EXE
3292	PING.EXE
3100	PING.EXE
1124	PING.EXE
3080	PING.EXE
3540	PING.EXE
3520	PING.EXE
580	PING.EXE
860	PING.EXE
1252	PING.EXE
1788	PING.EXE
2368	PING.EXE
3356	PING.EXE
2616	PING.EXE
3620	PING.EXE
3644	PING.EXE
2808	PING.EXE
4960	PING.EXE
3692	PING.EXE
2700	PING.EXE
4652	PING.EXE
4956	PING.EXE
232	PING.EXE
2924	PING.EXE
4440	PING.EXE
3464	PING.EXE
2820	PING.EXE
2204	PING.EXE
3288	PING.EXE
3568	PING.EXE
3128	PING.EXE
2280	PING.EXE
2764	PING.EXE
4600	PING.EXE
1236	PING.EXE
2656	PING.EXE
232	PING.EXE
1764	PING.EXE
3052	PING.EXE
1768	PING.EXE
1268	PING.EXE
660	PING.EXE
5020	PING.EXE
2520	PING.EXE
3408	PING.EXE
3760	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4220	schtasks.exe
4888	schtasks.exe
4092	schtasks.exe
2988	schtasks.exe
3848	schtasks.exe
608	schtasks.exe
1528	schtasks.exe
4648	schtasks.exe
4968	schtasks.exe
2868	schtasks.exe
4844	schtasks.exe
5112	schtasks.exe
3128	schtasks.exe
4068	schtasks.exe
4624	schtasks.exe
3056	schtasks.exe
3100	schtasks.exe
1360	schtasks.exe
1400	schtasks.exe
2916	schtasks.exe
3252	schtasks.exe
4960	schtasks.exe
2720	schtasks.exe
4444	schtasks.exe
1364	schtasks.exe
2808	schtasks.exe
4656	schtasks.exe
3524	schtasks.exe
1540	schtasks.exe
716	schtasks.exe
1172	schtasks.exe
948	schtasks.exe
3252	schtasks.exe
3808	schtasks.exe
2600	schtasks.exe
4816	schtasks.exe
3456	schtasks.exe
4208	schtasks.exe
2820	schtasks.exe
836	schtasks.exe
5108	schtasks.exe
4308	schtasks.exe
5104	schtasks.exe
1180	schtasks.exe
4440	schtasks.exe
5024	schtasks.exe
3852	schtasks.exe
640	schtasks.exe
4744	schtasks.exe
1268	schtasks.exe
3496	schtasks.exe
1116	schtasks.exe
3320	schtasks.exe
3708	schtasks.exe
4324	schtasks.exe
4968	schtasks.exe
1484	schtasks.exe
1988	schtasks.exe
2072	schtasks.exe
4896	schtasks.exe
1568	schtasks.exe
2332	schtasks.exe
3252	schtasks.exe
4080	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	892	Client-built.exe
Token: SeDebugPrivilege	2324	Virus-Rat.exe
Token: SeDebugPrivilege	4212	Virus-Rat.exe
Token: SeDebugPrivilege	2764	Virus-Rat.exe
Token: SeDebugPrivilege	3604	Virus-Rat.exe
Token: SeDebugPrivilege	456	Virus-Rat.exe
Token: SeDebugPrivilege	5068	Virus-Rat.exe
Token: SeDebugPrivilege	5012	Virus-Rat.exe
Token: SeDebugPrivilege	4168	Virus-Rat.exe
Token: SeDebugPrivilege	2404	Virus-Rat.exe
Token: SeDebugPrivilege	2076	Virus-Rat.exe
Token: SeDebugPrivilege	1040	Virus-Rat.exe
Token: SeDebugPrivilege	5112	Virus-Rat.exe
Token: SeDebugPrivilege	3136	Virus-Rat.exe
Token: SeDebugPrivilege	1072	Virus-Rat.exe
Token: SeDebugPrivilege	1140	Virus-Rat.exe
Token: SeDebugPrivilege	3444	Virus-Rat.exe
Token: SeDebugPrivilege	836	Virus-Rat.exe
Token: SeDebugPrivilege	1204	Virus-Rat.exe
Token: SeDebugPrivilege	3548	Virus-Rat.exe
Token: SeDebugPrivilege	3108	Virus-Rat.exe
Token: SeDebugPrivilege	1484	Virus-Rat.exe
Token: SeDebugPrivilege	1540	Virus-Rat.exe
Token: SeDebugPrivilege	2104	Virus-Rat.exe
Token: SeDebugPrivilege	1564	Virus-Rat.exe
Token: SeDebugPrivilege	2728	Virus-Rat.exe
Token: SeDebugPrivilege	3084	Virus-Rat.exe
Token: SeDebugPrivilege	5088	Virus-Rat.exe
Token: SeDebugPrivilege	4700	Virus-Rat.exe
Token: SeDebugPrivilege	3952	Virus-Rat.exe
Token: SeDebugPrivilege	2804	Virus-Rat.exe
Token: SeDebugPrivilege	1456	Virus-Rat.exe
Token: SeDebugPrivilege	3440	Virus-Rat.exe
Token: SeDebugPrivilege	4336	Virus-Rat.exe
Token: SeDebugPrivilege	1096	Virus-Rat.exe
Token: SeDebugPrivilege	3420	Virus-Rat.exe
Token: SeDebugPrivilege	1180	Virus-Rat.exe
Token: SeDebugPrivilege	1784	Virus-Rat.exe
Token: SeDebugPrivilege	4812	Virus-Rat.exe
Token: SeDebugPrivilege	536	Virus-Rat.exe
Token: SeDebugPrivilege	1040	Virus-Rat.exe
Token: SeDebugPrivilege	5080	Virus-Rat.exe
Token: SeDebugPrivilege	1964	Virus-Rat.exe
Token: SeDebugPrivilege	856	Virus-Rat.exe
Token: SeDebugPrivilege	4796	Virus-Rat.exe
Token: SeDebugPrivilege	1464	Virus-Rat.exe
Token: SeDebugPrivilege	3992	Virus-Rat.exe
Token: SeDebugPrivilege	2728	Virus-Rat.exe
Token: SeDebugPrivilege	2460	Virus-Rat.exe
Token: SeDebugPrivilege	4968	Virus-Rat.exe
Token: SeDebugPrivilege	808	Virus-Rat.exe
Token: SeDebugPrivilege	4752	Virus-Rat.exe
Token: SeDebugPrivilege	1960	Virus-Rat.exe
Token: SeDebugPrivilege	4588	Virus-Rat.exe
Token: SeDebugPrivilege	4788	Virus-Rat.exe
Token: SeDebugPrivilege	4336	Virus-Rat.exe
Token: SeDebugPrivilege	1692	Virus-Rat.exe
Token: SeDebugPrivilege	3980	Virus-Rat.exe
Token: SeDebugPrivilege	1648	Virus-Rat.exe
Token: SeDebugPrivilege	1032	Virus-Rat.exe
Token: SeDebugPrivilege	2392	Virus-Rat.exe
Token: SeDebugPrivilege	3540	Virus-Rat.exe
Token: SeDebugPrivilege	2092	Virus-Rat.exe
Token: SeDebugPrivilege	2628	Virus-Rat.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 5028	892	Client-built.exe	77
PID 892 wrote to memory of 5028	892	Client-built.exe	77
PID 892 wrote to memory of 2324	892	Client-built.exe	79
PID 892 wrote to memory of 2324	892	Client-built.exe	79
PID 2324 wrote to memory of 2600	2324	Virus-Rat.exe	80
PID 2324 wrote to memory of 2600	2324	Virus-Rat.exe	80
PID 2324 wrote to memory of 4968	2324	Virus-Rat.exe	82
PID 2324 wrote to memory of 4968	2324	Virus-Rat.exe	82
PID 4968 wrote to memory of 4300	4968	cmd.exe	84
PID 4968 wrote to memory of 4300	4968	cmd.exe	84
PID 4968 wrote to memory of 3540	4968	cmd.exe	85
PID 4968 wrote to memory of 3540	4968	cmd.exe	85
PID 4968 wrote to memory of 4212	4968	cmd.exe	86
PID 4968 wrote to memory of 4212	4968	cmd.exe	86
PID 4212 wrote to memory of 3100	4212	Virus-Rat.exe	87
PID 4212 wrote to memory of 3100	4212	Virus-Rat.exe	87
PID 4212 wrote to memory of 2092	4212	Virus-Rat.exe	89
PID 4212 wrote to memory of 2092	4212	Virus-Rat.exe	89
PID 2092 wrote to memory of 1236	2092	cmd.exe	91
PID 2092 wrote to memory of 1236	2092	cmd.exe	91
PID 2092 wrote to memory of 3520	2092	cmd.exe	92
PID 2092 wrote to memory of 3520	2092	cmd.exe	92
PID 2092 wrote to memory of 2764	2092	cmd.exe	93
PID 2092 wrote to memory of 2764	2092	cmd.exe	93
PID 2764 wrote to memory of 5112	2764	Virus-Rat.exe	94
PID 2764 wrote to memory of 5112	2764	Virus-Rat.exe	94
PID 2764 wrote to memory of 1356	2764	Virus-Rat.exe	96
PID 2764 wrote to memory of 1356	2764	Virus-Rat.exe	96
PID 1356 wrote to memory of 920	1356	cmd.exe	98
PID 1356 wrote to memory of 920	1356	cmd.exe	98
PID 1356 wrote to memory of 580	1356	cmd.exe	99
PID 1356 wrote to memory of 580	1356	cmd.exe	99
PID 1356 wrote to memory of 3604	1356	cmd.exe	100
PID 1356 wrote to memory of 3604	1356	cmd.exe	100
PID 3604 wrote to memory of 1520	3604	Virus-Rat.exe	101
PID 3604 wrote to memory of 1520	3604	Virus-Rat.exe	101
PID 3604 wrote to memory of 2820	3604	Virus-Rat.exe	103
PID 3604 wrote to memory of 2820	3604	Virus-Rat.exe	103
PID 2820 wrote to memory of 3888	2820	cmd.exe	105
PID 2820 wrote to memory of 3888	2820	cmd.exe	105
PID 2820 wrote to memory of 2280	2820	cmd.exe	106
PID 2820 wrote to memory of 2280	2820	cmd.exe	106
PID 2820 wrote to memory of 456	2820	cmd.exe	107
PID 2820 wrote to memory of 456	2820	cmd.exe	107
PID 456 wrote to memory of 1528	456	Virus-Rat.exe	108
PID 456 wrote to memory of 1528	456	Virus-Rat.exe	108
PID 456 wrote to memory of 1048	456	Virus-Rat.exe	110
PID 456 wrote to memory of 1048	456	Virus-Rat.exe	110
PID 1048 wrote to memory of 428	1048	cmd.exe	112
PID 1048 wrote to memory of 428	1048	cmd.exe	112
PID 1048 wrote to memory of 1004	1048	cmd.exe	113
PID 1048 wrote to memory of 1004	1048	cmd.exe	113
PID 1048 wrote to memory of 5068	1048	cmd.exe	114
PID 1048 wrote to memory of 5068	1048	cmd.exe	114
PID 5068 wrote to memory of 2504	5068	Virus-Rat.exe	115
PID 5068 wrote to memory of 2504	5068	Virus-Rat.exe	115
PID 5068 wrote to memory of 4260	5068	Virus-Rat.exe	117
PID 5068 wrote to memory of 4260	5068	Virus-Rat.exe	117
PID 4260 wrote to memory of 2276	4260	cmd.exe	119
PID 4260 wrote to memory of 2276	4260	cmd.exe	119
PID 4260 wrote to memory of 1840	4260	cmd.exe	120
PID 4260 wrote to memory of 1840	4260	cmd.exe	120
PID 4260 wrote to memory of 5012	4260	cmd.exe	121
PID 4260 wrote to memory of 5012	4260	cmd.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
  2⤵
  PID:5028
- C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
  "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0LvIISRUWlpo.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4300
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:3540
  - - C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
      "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3100
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\el6IWZtKIxcG.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2092
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1236
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3520
      - C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wj5NLMWkglMb.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:580
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        9⤵
        
        PID:1520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oZ0okR6g3HTQ.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3888
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmwFefguwqBe.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        Runs ping.exe
        
        PID:1004
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        13⤵
        
        PID:2504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MXfubnsO1BIR.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        Runs ping.exe
        
        PID:1840
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XRFpnc0p6yRN.bat" "
        15⤵
        
        PID:3080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:436
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4956
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4168
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        17⤵
        
        PID:1508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ymlx34tru2uZ.bat" "
        17⤵
        
        PID:996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4128
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rYJNXfBfMcuG.bat" "
        19⤵
        
        PID:4992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:5024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        Runs ping.exe
        
        PID:3716
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        21⤵
        
        PID:1112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\621lckv08Wh4.bat" "
        21⤵
        
        PID:1448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4112
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:860
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        23⤵
        
        PID:3108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2Cj0VQ44rrz.bat" "
        23⤵
        
        PID:4640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3344
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dk3mH2uz07BZ.bat" "
        25⤵
        
        PID:580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUgXTpZGBHsn.bat" "
        27⤵
        
        PID:2340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HeEusd2aemF0.bat" "
        29⤵
        
        PID:5116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4952
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        31⤵
        
        PID:4260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HFcz9UW15Bhx.bat" "
        31⤵
        
        PID:2180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3444
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8vkzVKJoeMvJ.bat" "
        33⤵
        
        PID:4592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ueQZ89R7oSUE.bat" "
        35⤵
        
        PID:4740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:4024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        Runs ping.exe
        
        PID:1252
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        37⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgpD8gWOy329.bat" "
        37⤵
        
        PID:4424
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:4004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4652
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        39⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jo96uo2r89Q1.bat" "
        39⤵
        
        PID:860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:4212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1236
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        41⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nZCS4MCQlOTE.bat" "
        41⤵
        
        PID:3344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:2492
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2616
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        43⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oyNIoFkKItNG.bat" "
        43⤵
        
        PID:4588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:4156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1884
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        45⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuhY5gmrtZLv.bat" "
        45⤵
        
        PID:2256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:4976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        46⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1452
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        47⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JhzG0R0nelyV.bat" "
        47⤵
        
        PID:700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:4952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3120
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        49⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tp4sV5ppS4rH.bat" "
        49⤵
        
        PID:4708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        50⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2924
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        51⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VB3DDCheFKS5.bat" "
        51⤵
        
        PID:1636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        52⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3084
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\27YLK47Xr8pV.bat" "
        53⤵
        
        PID:3104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:3764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        54⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1788
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        55⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ylXOniSnsafa.bat" "
        55⤵
        
        PID:2404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:3984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        56⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3956
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        57⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ewrO9BESl5uM.bat" "
        57⤵
        
        PID:4192
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        58⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3464
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        59⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1Bro1Ir4A2d8.bat" "
        59⤵
        
        PID:4380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:4956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        60⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        61⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwL1BxFuDgPn.bat" "
        61⤵
        
        PID:1628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:2932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        62⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1216
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        63⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v0xp3MdfsOMq.bat" "
        63⤵
        
        PID:1712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        64⤵
        
        PID:3544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        64⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        65⤵
        
        PID:832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vmuS5qR4qUg5.bat" "
        65⤵
        
        PID:2708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        66⤵
        
        PID:2256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        66⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4600
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        66⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4336
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        67⤵
        
        PID:1172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x9ieYs4k4546.bat" "
        67⤵
        
        PID:4952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        68⤵
        
        PID:4036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        68⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:464
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        68⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        69⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qtqqiJ6dMOU3.bat" "
        69⤵
        
        PID:4860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        70⤵
        
        PID:3276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        70⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        70⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3420
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        71⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmxq8kgfeHt3.bat" "
        71⤵
        
        PID:3776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        72⤵
        
        PID:1340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        72⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3876
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        72⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        73⤵
        
        PID:328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YVA1G4sZiOIm.bat" "
        73⤵
        
        PID:4064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        74⤵
        
        PID:3764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        74⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3288
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        74⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        75⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0dK6ZJdBVN6q.bat" "
        75⤵
        
        PID:4596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        76⤵
        
        PID:408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        76⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        76⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4812
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        77⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rvgnsNwtsxVL.bat" "
        77⤵
        
        PID:572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        78⤵
        
        PID:2144
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        78⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:232
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        78⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        79⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rLx0hi6MeyxZ.bat" "
        79⤵
        
        PID:4192
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        80⤵
        
        PID:4836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        80⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4108
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        80⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        81⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQwVxbxLJQfJ.bat" "
        81⤵
        
        PID:2616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        82⤵
        
        PID:2212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        82⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3920
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        82⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        83⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IhULExyHj4Do.bat" "
        83⤵
        
        PID:1536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        84⤵
        
        PID:1484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        84⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2520
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        84⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        85⤵
        
        PID:3604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQsa1KEuFzxC.bat" "
        85⤵
        
        PID:1344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        86⤵
        
        PID:1144
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        86⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        86⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        87⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mtsvB6tFbv82.bat" "
        87⤵
        
        PID:2816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        88⤵
        
        PID:2708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        88⤵
        Runs ping.exe
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        88⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        89⤵
        
        PID:1944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4OqgyPaosdtc.bat" "
        89⤵
        
        PID:4776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        90⤵
        
        PID:5104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        90⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2368
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        90⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        91⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kVXeRZHy47Nq.bat" "
        91⤵
        
        PID:1248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        92⤵
        
        PID:3320
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        92⤵
        Runs ping.exe
        
        PID:4440
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        92⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        93⤵
        
        PID:3316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L3vFX3yd3P9f.bat" "
        93⤵
        
        PID:1112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        94⤵
        
        PID:1708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        94⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        94⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        95⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGOoeW5kaNL6.bat" "
        95⤵
        
        PID:3532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        96⤵
        
        PID:1896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        96⤵
        Runs ping.exe
        
        PID:3288
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        96⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        97⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sKGjzgDkmntm.bat" "
        97⤵
        
        PID:2884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        98⤵
        
        PID:4120
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        98⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        98⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4968
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        99⤵
        
        PID:4652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v7Faci6I2VnN.bat" "
        99⤵
        
        PID:2324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        100⤵
        
        PID:4636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        100⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1236
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        100⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        101⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\96XuUOs4VnQv.bat" "
        101⤵
        
        PID:3752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        102⤵
        
        PID:3952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        102⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        102⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        103⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4TRUyHtE5PIs.bat" "
        103⤵
        
        PID:2764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        104⤵
        
        PID:3144
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        104⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3996
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        104⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        105⤵
        
        PID:3608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Li1eUKIQaB5C.bat" "
        105⤵
        
        PID:1500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        106⤵
        
        PID:3148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        106⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3568
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        106⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        107⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l7s6dcA0w8EF.bat" "
        107⤵
        
        PID:2096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        108⤵
        
        PID:2732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        108⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2164
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        108⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        109⤵
        
        PID:1100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U8MFf2yZItrh.bat" "
        109⤵
        
        PID:1528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        110⤵
        
        PID:1048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        110⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3620
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        110⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4336
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        111⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N1yBh2vEQZPi.bat" "
        111⤵
        
        PID:5116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        112⤵
        
        PID:1684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        112⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        112⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        113⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8DSUFzOePUfI.bat" "
        113⤵
        
        PID:4660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        114⤵
        
        PID:564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        114⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3408
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        114⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        115⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xU2mkQ5Nc0E1.bat" "
        115⤵
        
        PID:4148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        116⤵
        
        PID:1636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        116⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        116⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        117⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mT1soNR2lhzV.bat" "
        117⤵
        
        PID:2776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        118⤵
        
        PID:3984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        118⤵
        Runs ping.exe
        
        PID:3644
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        118⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        119⤵
        
        PID:4816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M8j7x0BFYKRC.bat" "
        119⤵
        
        PID:2660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        120⤵
        
        PID:4652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        120⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:232
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        120⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        121⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3rdLKsxvLxBt.bat" "
        121⤵
        
        PID:3100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        122⤵
        
        PID:4304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        122⤵
        Runs ping.exe
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        122⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3540
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        123⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NJ2nG48dWWBs.bat" "
        123⤵
        
        PID:716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        124⤵
        
        PID:2796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        124⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3128
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        124⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        125⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9Ku6Uq6Ly13Q.bat" "
        125⤵
        
        PID:4080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        126⤵
        
        PID:484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        126⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3864
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        126⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        127⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkMeTxsPNnSA.bat" "
        127⤵
        
        PID:2064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        128⤵
        
        PID:1268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        128⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        128⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        129⤵
        
        PID:1556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YoOvrMIVkhCT.bat" "
        129⤵
        
        PID:1344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        130⤵
        
        PID:1436
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        130⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2708
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        130⤵
        
        PID:4332
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        131⤵
        
        PID:660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1bhU5D24ZbdN.bat" "
        131⤵
        
        PID:2456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        132⤵
        
        PID:2340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        132⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2808
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        132⤵
        
        PID:2120
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        133⤵
        
        PID:4960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naarMgdh6KdB.bat" "
        133⤵
        
        PID:3664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        134⤵
        
        PID:1948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        134⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3292
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        134⤵
        
        PID:3848
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        135⤵
        
        PID:1464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qCYrN4aptDS5.bat" "
        135⤵
        
        PID:1924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        136⤵
        
        PID:3316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        136⤵
        Runs ping.exe
        
        PID:3052
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        136⤵
        
        PID:2180
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        137⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T8CoIb5rQ96x.bat" "
        137⤵
        
        PID:3980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        138⤵
        
        PID:2292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        138⤵
        Runs ping.exe
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        138⤵
        
        PID:2320
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        139⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f26sFq3OLUiU.bat" "
        139⤵
        
        PID:680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        140⤵
        
        PID:1784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        140⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3760
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        140⤵
        
        PID:2244
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        141⤵
        
        PID:2884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mb9RB3alf7Uq.bat" "
        141⤵
        
        PID:2104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        142⤵
        
        PID:2404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        142⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        142⤵
        
        PID:4888
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        143⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LZbnyElIqvgP.bat" "
        143⤵
        
        PID:536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        144⤵
        
        PID:2980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        144⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3100
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        144⤵
        
        PID:3352
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        145⤵
        
        PID:3140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\92Uw2BbMzSjU.bat" "
        145⤵
        
        PID:4128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        146⤵
        
        PID:5076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        146⤵
        Runs ping.exe
        
        PID:3080
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        146⤵
        
        PID:1040
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        147⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4c23JyBfQzXG.bat" "
        147⤵
        
        PID:1656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        148⤵
        
        PID:712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        148⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        148⤵
        
        PID:3864
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        149⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U7hKlFCAbLnt.bat" "
        149⤵
        
        PID:5084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        150⤵
        
        PID:2628
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        150⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1268
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        150⤵
        
        PID:4824
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        151⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jH6y08EIPd0C.bat" "
        151⤵
        
        PID:1344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        152⤵
        
        PID:2740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        152⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:660
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        152⤵
        
        PID:3296
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        153⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k0083OqrF3s2.bat" "
        153⤵
        
        PID:2816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        154⤵
        
        PID:1548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        154⤵
        Runs ping.exe
        
        PID:4960
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        154⤵
        
        PID:464
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        155⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WpZPKksxujNV.bat" "
        155⤵
        
        PID:3684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        156⤵
        
        PID:1464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        156⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        156⤵
        
        PID:4020
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        157⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e8lca8E72r1J.bat" "
        157⤵
        
        PID:1340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        158⤵
        
        PID:1192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        158⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3356
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        158⤵
        
        PID:3420
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        159⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i4LOAGXOJTKX.bat" "
        159⤵
        
        PID:4144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        160⤵
        
        PID:5056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        160⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:892
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        160⤵
        
        PID:2228
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        161⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o6E2dvTzgvmZ.bat" "
        161⤵
        
        PID:2776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        162⤵
        
        PID:4740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        162⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        162⤵
        
        PID:4808
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        163⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CnxrcOy2Li62.bat" "
        163⤵
        
        PID:952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        164⤵
        
        PID:4968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        164⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1124
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        164⤵
        
        PID:1564
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        165⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\67DXW9Zn5F8w.bat" "
        165⤵
        
        PID:4716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        166⤵
        
        PID:3268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        166⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3140
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        166⤵
        
        PID:2800
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        167⤵
        
        PID:4944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3lSPDM9bD3GC.bat" "
        167⤵
        
        PID:1372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        168⤵
        
        PID:3144
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        168⤵
        Runs ping.exe
        
        PID:4308
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        168⤵
        
        PID:2212
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        169⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d0tluCZuGYZa.bat" "
        169⤵
        
        PID:1656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        170⤵
        
        PID:3836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        170⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        170⤵
        
        PID:3888
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        171⤵
        
        PID:532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CeAOFA5Eylss.bat" "
        171⤵
        
        PID:1268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        172⤵
        
        PID:3804
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        172⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3692
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        172⤵
        
        PID:3276
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        173⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lRAkCJ3aRL1z.bat" "
        173⤵
        
        PID:1576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        174⤵
        
        PID:3596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        174⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        174⤵
        
        PID:4332
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        175⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b8gtNiDPPCIm.bat" "
        175⤵
        
        PID:1684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        176⤵
        
        PID:3948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        176⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        176⤵
        
        PID:4200
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        177⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xfeGeIhJLAjm.bat" "
        177⤵
        
        PID:4940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        178⤵
        
        PID:3960
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        178⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4660
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        178⤵
        
        PID:2020
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        179⤵
        
        PID:3896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H4OtWxvzgylE.bat" "
        179⤵
        
        PID:1336
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        180⤵
        
        PID:248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        180⤵
        Runs ping.exe
        
        PID:5020
        
        C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe
        
        "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe"
        180⤵
        
        PID:1460
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe" /rl HIGHEST /f
        181⤵
        
        PID:1112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zxsVCyvkD1oV.bat" "
        181⤵
        
        PID:3084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        182⤵
        
        PID:2920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        182⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Virus-Rat.exe.log

Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0LvIISRUWlpo.bat

Filesize
215B

MD5
3596fa88398eec33ca6a0ac7e73719fc

SHA1
afc30fc58ab8e2e81bcc6e4db4c05c259eddf3a4

SHA256
8f9d66e931bbc1281341fb8db2c1fdb983053b7120e61b59ba80bc8705cbdd6e

SHA512
701de1c0f327e7670ef4348d02cef1113909c817d0c62892c35959e6d8e94eebdfbf27ecf4e083405db9ea4bed2b91e9d17f3a94773c3032b883cc6fdd4b8a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Bro1Ir4A2d8.bat

Filesize
215B

MD5
2b923b83372f944764112d0dcaa39256

SHA1
1e27929ead573ccb54980438601a82860cb168c5

SHA256
bb1c13b6e99932c812df10e630110ef6a70457f9c706b716b0280760719b41e3

SHA512
e7dbab8f15f458d6888ed0539d86b6e22d589904bdc9b4c1b3262519a650c7467bd83a722d6a83e701d9203ddd6c2ccc1360b7b7a36cf7b17139c203ec7f468a

Download Submit
C:\Users\Admin\AppData\Local\Temp\27YLK47Xr8pV.bat

Filesize
215B

MD5
4db3fbc50cb471c65468501a893e59d0

SHA1
868c51c06ae64c93702194eceb46754bf0620a54

SHA256
b145e4fe645fa961fa0042289a79d0f1786e425d391c460d0e29c00991510344

SHA512
e107677e74f71c1624143eccd66649facc42ed377d4126f4a4c814edba28ac3a03ec73d59002d59db5d3804fe6b17d08ad46f7b57bd47a77b016865cd981c328

Download Submit
C:\Users\Admin\AppData\Local\Temp\621lckv08Wh4.bat

Filesize
215B

MD5
d2f731d6825161cc5fc8e3fe807681e2

SHA1
20d5a27a47b8f4cf0390bdaac46f3019648d01a3

SHA256
e829f3c3aed6feb9b38e8328a1a6c2e2d96cfe4d8643cf12534912d74b90cd63

SHA512
b45c215ea94f73fc3294e2322f83b08e1a76219576724d9685f0d73baf7dd593bba0273b1e3b20d133486a8d9c6657964938687353c98109e1a7977e61da5a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\8vkzVKJoeMvJ.bat

Filesize
215B

MD5
d5097a4443f066e3377f156ab3af31db

SHA1
e0a3bd5643a9c78adb3f86f7c760dec24663b4d6

SHA256
559d46f0523648caaca885b30cb03d26cc1c3946e01d84407293da18e42a5d05

SHA512
c1f41b09a9ce5e2a225b11d9d66b098f072d5747e2fa22ee1a32d77531f54bd90f651e8e4dfee04f941e83180aa15c808b5fa25df433ffd454b1dc8bc1cc1bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2Cj0VQ44rrz.bat

Filesize
215B

MD5
f8f3ed80befd339b992d64d44967931b

SHA1
c62debf9253e82c5b5eae1cbb6266e40d47c24e7

SHA256
b0d33006dd0397b9bdfb71ac86afac12c522b683a65536cc395f9fe4c9ee8c77

SHA512
155850b84c1aaea8c760d4503ec83b4d6d7241a4dd4b1d3b8fe7dfa89479d56968b0c3b86cc2833fe1740a30df3d74c5edc4f0e37a5291dd7eb22028477da8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUgXTpZGBHsn.bat

Filesize
215B

MD5
c33e4bdeb4d35a7a8d37d758b1db4d05

SHA1
392e6990fa58b507b911ff812890d6f015023c85

SHA256
87bdd41ae15b02187fcbfad0eeeb9dbfbde12c2a01637238de08e376eea98eaf

SHA512
ac5f04eda63ef83a65c8433bfb90c4167876affad9eda7ea224388898823686fe581892f2801fa35550b6db9c8928cfc328b9c58bc6be2c6714a9eceae4d1bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFcz9UW15Bhx.bat

Filesize
215B

MD5
7a538844acea54850c8928a72d324762

SHA1
f10d3be81257378137f86253cb763862dec5c066

SHA256
c9c88e00c71c435e4fd559511ef43da2929a46d33236d8909a085a8df0378799

SHA512
45bfa1080c56988d1c4c29074c41c3e1f7f0d62adc8e27516b9dfa4726693cc1d56e6cb3d89b293b5e201fa4550eb48fc90379f2d6ee67e22ddd51a207735c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HeEusd2aemF0.bat

Filesize
215B

MD5
496fed4d2841d18f785b896b55e5ccb7

SHA1
5031702ce4a63aafea1997a9a7fb2a75ddd70e7c

SHA256
970d24e23a6f12fcf70460250e70f72616e3fe47a5f11f064038200ac63c3ad1

SHA512
d453cef5e04d225cc1f1f3f482aa5b01147eba3dcc10e66503602e41929da2daaa9bfb310e42b0778615492536367e5482f837e06294b280e01a04850d17d5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhzG0R0nelyV.bat

Filesize
215B

MD5
03ff602e65b68b27716c36504943783f

SHA1
a41a26eb8930185821ee92c3ec7b6993699019f7

SHA256
481206577892eaa04f7028cd7ff37cf61ef5ee9c6df68c1f95e696ec5e778f36

SHA512
00a9e37a490c3e860472784b92d7a4e38ae2a11924a513ce29159b75365463f99462d239054bfe6398db754f43ed8232edc3a397eb7fda71e3e841a68e3ccda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jo96uo2r89Q1.bat

Filesize
215B

MD5
5958780b12910ee328a3fcbba8eaa684

SHA1
54d01219ebe8af8cf71b36d78e8d2d51546306e8

SHA256
2262c1540ac8d980a4a86b82e46e37febcb30cbd95c1b9a6b34ce7ec1ff76020

SHA512
9c42d97531541b593d970a3031b03d111af6de7085626ab11b07237ebf9143cdc572356370ea445ccf3c2c4c90265afd83fda9927645a94ea211d0b8ae169d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\MXfubnsO1BIR.bat

Filesize
215B

MD5
9e3cff11bb80076f59c29a4060d3fa28

SHA1
aed04f9f6b6295ef9a2b5ef664d7ddf2d779dacf

SHA256
442b46859570b5a4ac86615d8bc7db1388d02bcef93320c4ceb5d6d7c4997217

SHA512
25c52dd90ff527576ae30d33759f7d12d8c0d17ad70e3aa23764bc5498aeefec1d95cfbd1935a6d751b9501c08e546e1addd7c8a07f5121023e00bd24f74fbac

Download Submit
C:\Users\Admin\AppData\Local\Temp\NuhY5gmrtZLv.bat

Filesize
215B

MD5
25fba4db944c06e47739fcb4ff490298

SHA1
8dfced54057d0ec3321d5320a3948f2f36a6ba37

SHA256
21f9bec62e3458e0f70527d8f6cce96a4cf7ae69ed8ff977e889f9a11c91a864

SHA512
1285f7d349594784c48a7829d636a6911961a1a810cd186619529a17c0153bb1ea854233d1b0257ed0aad0c6485ad9d980c36f744704bcd5dd7f7016b3e3a358

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tp4sV5ppS4rH.bat

Filesize
215B

MD5
803b60c37b438c506fcbe24bcf3cac38

SHA1
f04134133127b66e73ec12031a9ae3230c6f6254

SHA256
e6b3229a26dd8abff073c3e69d367f2169c521c85d42372ce7c8a0738691c6c3

SHA512
39ec2e7e59c5fc78c5bfc60f78f6062019e8df328597f9f3b454d1bb9766a856a67617242734a00ee85b12dabd51fedce0f35ff520de24d25a6c2c3e5c85c32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VB3DDCheFKS5.bat

Filesize
215B

MD5
c50a69c1158f4aeedd8b9d421997bdb2

SHA1
b2f65f21c2c0ccca86c67fb26bf72729f2b01659

SHA256
110b1dad27b16c95a96595623475c0f84915a289560fe4bd41da1a021bf8d842

SHA512
c4dfff138b7553f0837f640d42c297aaaa51154c5d230e35dcf34b862e8e40b3ee15dc0a3a783bf495729c85e4152db502a4ff763f11c390dd291171c4757c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wj5NLMWkglMb.bat

Filesize
215B

MD5
06d1d986a83f2dc9dbd4e8199cf6ba94

SHA1
6c072a142e709df4f9e0307072af9f17b152ea21

SHA256
e1e342eb9c6518be74c1ac473442bf3e5afabfc200c3f0d8f0fe7be31e000fae

SHA512
859cc56ac0d9c63e91dd3fbdf3c8f1c4bd4cd68be70a838eac91e590c0bcab128b10f3e1fcb0d4c68617b818739e4e67cc4b4ae7bc7c018d5059d449ea1c77c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwL1BxFuDgPn.bat

Filesize
215B

MD5
6aa0cb87f51d53bebad6ea2d9c160340

SHA1
77769ddea42952bc8305b04105f91d3069d517a8

SHA256
52d42d5d0738b9f3647aa38a379a808a37e53a346ae2ad96fc7e301da08c5f88

SHA512
abdf41d214d20ba5113c88b7aebe8b719a263057b2d406ebceaaf698cfd02ce93baa8a444a13849a8dab9a1d0af0d20818f331c3a75c9e7fe74ffad9acf2e2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\XRFpnc0p6yRN.bat

Filesize
215B

MD5
726c1f5dbfac89d9bec264bd3880a8ee

SHA1
a9093bfee00b2667c6300bca236953209c054f4b

SHA256
01aaab08ecbbfc2bf8e62366b1fe621456a0ca5b7b87372f5cbc63b77c74d103

SHA512
c0ffefeccf700f9244887188db819bdfd275ddf9ec243040156450519467e4bbcd1e0a06022e7a80adfadae3ed1f70af05060904f1934b6199d6184b3f8d108d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ymlx34tru2uZ.bat

Filesize
215B

MD5
4818df3e79d3da0f660e3c55d5912bdf

SHA1
d807845b02dbec4ea4e7f303c602eba0839293c6

SHA256
19d549ff66cc232e46f18fcf7646cd917a71572ae5aa07dc68e862d83a305b34

SHA512
7c59cae82add0a7464670aa531d2c2155258dd298090370c12b48aa9fed1199e7c99fda7f2df518e68e451a44c7339374631b520d8e99572c5c9c75483e7ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\dk3mH2uz07BZ.bat

Filesize
215B

MD5
05c2f126ad17730604efc5f263922f6c

SHA1
ecde50a1b5e88b2d957f1bf857b7165a7cda36d0

SHA256
366b3d3845e7d369f469444becb384626ab90f67db8ca5f9a41ccfca435a6318

SHA512
cb5d8b1758488bbbdff289302c9a40e2d7fddb1abcfcdd422bce5505275ff49563606d0a83c90c64c633519ae9d31527359028919d7e54dfa967a1bd3de7d49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\el6IWZtKIxcG.bat

Filesize
215B

MD5
943ff7b2a6b8efae9c900f82766f8717

SHA1
c2fd1cc34823eaf9cb82f140e5b62b873bf0e9bb

SHA256
d5c63f9368a27ce34c1c91a78b9e36805af9c994890f512af1e49fc1ee7174eb

SHA512
67e04fae5f0e9a108e4f7e629e70b133fd571f38c1f78b8dc51d91b940c2e0b713ef72fa0d3e7e2bff923e8cc8e0684a1472b77557732349559a24bf692c7b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewrO9BESl5uM.bat

Filesize
215B

MD5
d07288fc9f929e5088a7ac9dde1dace8

SHA1
5f03b6ea5bb8f0fcad279b6f54dbe0a52800ef4e

SHA256
2f014ca4454b7e62b50fde085ff478a2567ef26805dc3536401f4dbebb9dbeea

SHA512
a2880ccd6b071b0c41a2390605847129923c543ed53b129d33b9a303618c760b61592ffbaadfa2c8bbcb689bae7de50a6f41f0f17631387cda41f30ce93e4d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgpD8gWOy329.bat

Filesize
215B

MD5
c3310e3365ec6481defbd49019deaee7

SHA1
a96da6bfcc481fe84626424dbae2b725c0ed92ae

SHA256
330b7fd15f52120a9a2357eda1d4ce6177f98320f9552d241d5474900895bf62

SHA512
0af8aaff560dac437e1ad622adebb45b4440730ff745d40b6bf063ea8d07a860e72c106f2c6568b632ac6fe6930548f3850305c95bb2fcc048a15a5bd8f13ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nZCS4MCQlOTE.bat

Filesize
215B

MD5
895844a8086bd1b065bf854031c95805

SHA1
1b165cc5d6ea4d581204b6e65c54090cd9eb23c8

SHA256
2d3c5e7c0b5444a00cc02b4d1f658b925b5ef8218328a8303b9451572df8c08c

SHA512
e6feffa4b644ce024c29e89fc5029d28f3dad5f2ebf367d7b89ff8dfb4282d31b0b55f8d889237c15295ee7576c8d2aa4a94872eb49deb37d00eb0915e2a7862

Download Submit
C:\Users\Admin\AppData\Local\Temp\oZ0okR6g3HTQ.bat

Filesize
215B

MD5
f12641854532beaddddf97c301f10405

SHA1
68fe181fe6a701785928599270ee9c6109156499

SHA256
169aa23cc3b5ecc741f9cfac578de8319f9fbfe95d6769c2c51ce5d3b2a39c78

SHA512
c73bd42cc576d8b615f7089ad986bbf9504571f9d1a784648bfa595c03fad048d2b1b14ee36b69de71c64cb9e95910da333c4a8a3fc5734fb8d77c46f227766c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oyNIoFkKItNG.bat

Filesize
215B

MD5
c764ab31909ee7501f2ab551871508cf

SHA1
997d9be150a8fa45deeb62345d8a45f47645cfe0

SHA256
759beec4cddb889ff4bbda28b9a6402bd20881358c6fb0b80eb74bc0134da0b1

SHA512
5b3ef5f30a5dba4e53fdd97597a35e50d112a183658b80f70931d75b6555ee27796e5eb99c14b3300aa8712b198b39a1d09424d563acc7fa6fb545c28c30f1e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rYJNXfBfMcuG.bat

Filesize
215B

MD5
12f41c6d363afdc633c88b7ce361f6f4

SHA1
c723c18ae8a17f41366307692ce19a4d0ac017eb

SHA256
db7d5858d774d7e4651a05e60674f228e84aec3ff909eeb9251f3c815c4ab2a5

SHA512
fae86fadc41e0495b42c7da40e478d0da2345b46030e5271d30c83a21f0c838f2792207d6e2087a6aa08960be6369159b548a2fb8269ea0d2d44b2b61d6d9d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmwFefguwqBe.bat

Filesize
215B

MD5
7235302058f7189b7dec67f3a2da21a3

SHA1
6eb199bae740a8dc19ed143c072505745a008188

SHA256
4e6a2747bf6ca202efcd7c210f955b8dc1af6364d258cf9e18d5e61c704f3ac1

SHA512
976a24885be69f56d42beb9bccac46683b68752b57d0b85b2dba571a36731efaa458d3362ad0dd830a8cef3f8b5057032c998c9808ca70887248dd4633ed73a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ueQZ89R7oSUE.bat

Filesize
215B

MD5
282d1e2cc9bdf85eb5e3d04f77157563

SHA1
45f66fdcc458513777aadbe928108f3ed3cb158b

SHA256
ab0a459e5cc76c0bd87d844182b42811cc596e4499eef7920121f852fc77c2d7

SHA512
0dea2f7b94a7bb9828d1a15ece8fe0bed1d81f3fd419db76181fd6905046ef5acbabe360ae94a70c8a87b7a9e4b191f6bfbac4801a8989a53eab84a3d5b98d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\v0xp3MdfsOMq.bat

Filesize
215B

MD5
bd5fe51ad1b61873fa7fc4564231ec18

SHA1
38af2b352db6ae514690fdff94fa8e2e66a8a7f7

SHA256
5dae55c805482a157215b831abf5508c8e90537e96433fe37567d8e686daa5e9

SHA512
4ea0bc3216ed49a6fafbc6fadccd7b0307ac3ddef38d67c94b3253fdcbdcb64a2acdcee923d1d7516c78d9dbd5d1e1bb55df60536979810499458a873c3520d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ylXOniSnsafa.bat

Filesize
215B

MD5
e9b642c5723386305e2b058f89a0183e

SHA1
0d955ef6a84bf63b5a61b1a83872d64037d37607

SHA256
71c9cbd8978d218970c74a8e7f8409c9b928b6992289a1e68cc2f640a0fd79c1

SHA512
ac876cb76e707d4e6c512f30dd4f9dcba37d61f608c5f62c6f9d1b0f976a693c3b4e7ca6d27446c99d6a78bd9d94919e92b3c3c7b9a8a230ddbd379c799b31fe

Download Submit
C:\Users\Admin\AppData\Roaming\Rat-Test-cx\Virus-Rat.exe

Filesize
3.1MB

MD5
79069701295f944d67c5f2e0213b3b9c

SHA1
589e8b6227ec6ef923f7eb8e4dc96797593f9535

SHA256
ff62c26c8faf00f841ddeae1e095b8a65a9cb4e0d2a01879aaa8d767c4550cf8

SHA512
472570fbf5ee21c05d9e40aaef32686b5f3f63eba93c7f3efdc23493e74017cea8b2a91a1ac7d8cdbc67fedb18f4dcae20c08fa3b6486807fa38d03dd2114f67

Download Submit
memory/892-8-0x00007FFE85A70000-0x00007FFE86532000-memory.dmp

Filesize
10.8MB

Download
memory/892-1-0x00000000004E0000-0x0000000000804000-memory.dmp

Filesize
3.1MB

Download
memory/892-0-0x00007FFE85A73000-0x00007FFE85A75000-memory.dmp

Filesize
8KB

Download
memory/892-2-0x00007FFE85A70000-0x00007FFE86532000-memory.dmp

Filesize
10.8MB

Download
memory/2324-9-0x00007FFE85A70000-0x00007FFE86532000-memory.dmp

Filesize
10.8MB

Download
memory/2324-11-0x000000001C3D0000-0x000000001C420000-memory.dmp

Filesize
320KB

Download
memory/2324-12-0x000000001C4E0000-0x000000001C592000-memory.dmp

Filesize
712KB

Download
memory/2324-10-0x00007FFE85A70000-0x00007FFE86532000-memory.dmp

Filesize
10.8MB

Download
memory/2324-17-0x00007FFE85A70000-0x00007FFE86532000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads