Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-06-2024 04:50

General

  • Target

    862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe

  • Size

    3.3MB

  • MD5

    931767ee5322f0d8a22acb26374ef000

  • SHA1

    eac51a96586271fde6ab226db3f3bdbfd1f72111

  • SHA256

    862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06

  • SHA512

    a790213cbe56e1cdc737af9c6a7176a277b04767eba3b9f99102c71d227d1b28696baaa4515f2844fd09e9b9ea6c106557aa24c6471b4f47d68715ce44e041d0

  • SSDEEP

    49152:Zrd5oJBLERqgc7qzy0n1Ta80kXELz5oxr9WROea5CbEo51TMkqCZBO:hd5n3c0fnlb0kXyz59haG95lNqCZBO

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1250787707550957639/phhFYZ2a-1NpRCeFahlBjdnI6gpjCVkQ5Tb8tUGijytYKG4ngP94NUb-cNzVfynZwdY8

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Detect Umbral payload 35 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2400
        • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
          "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2924
          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
            5⤵
            • Executes dropped EXE
            PID:2752
            • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
              "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
              6⤵
              • Executes dropped EXE
              PID:1988
              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                7⤵
                • Executes dropped EXE
                PID:896
                • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                  "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                  8⤵
                  • Executes dropped EXE
                  PID:2512
                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                    9⤵
                    • Executes dropped EXE
                    PID:1060
                    • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                      10⤵
                      • Executes dropped EXE
                      PID:2796
                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                        11⤵
                        • Executes dropped EXE
                        PID:1492
                        • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                          "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                          12⤵
                          • Executes dropped EXE
                          PID:2732
                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                            13⤵
                            • Executes dropped EXE
                            PID:632
                            • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                              "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                              14⤵
                              • Executes dropped EXE
                              PID:2260
                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                15⤵
                                • Executes dropped EXE
                                PID:1288
                                • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                  "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                  16⤵
                                  • Executes dropped EXE
                                  PID:2492
                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                    17⤵
                                    • Executes dropped EXE
                                    PID:1704
                                    • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                      18⤵
                                      • Executes dropped EXE
                                      PID:2208
                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                        19⤵
                                          PID:2056
                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                            20⤵
                                              PID:2888
                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                21⤵
                                                  PID:2304
                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                    22⤵
                                                      PID:2108
                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                        23⤵
                                                          PID:2660
                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                            24⤵
                                                              PID:2280
                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                25⤵
                                                                  PID:2452
                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                    26⤵
                                                                      PID:2744
                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                        27⤵
                                                                          PID:568
                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                            28⤵
                                                                              PID:1288
                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                29⤵
                                                                                  PID:640
                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                    30⤵
                                                                                      PID:2772
                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                        31⤵
                                                                                          PID:1020
                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                            32⤵
                                                                                              PID:1320
                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                33⤵
                                                                                                  PID:1568
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                    34⤵
                                                                                                      PID:2076
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                        35⤵
                                                                                                          PID:1608
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                            36⤵
                                                                                                              PID:1196
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                37⤵
                                                                                                                  PID:1376
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                    38⤵
                                                                                                                      PID:2540
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                        39⤵
                                                                                                                          PID:2876
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                            40⤵
                                                                                                                              PID:1616
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                41⤵
                                                                                                                                  PID:2764
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                    42⤵
                                                                                                                                      PID:1228
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                        43⤵
                                                                                                                                          PID:2228
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                            44⤵
                                                                                                                                              PID:2952
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                45⤵
                                                                                                                                                  PID:3000
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                    46⤵
                                                                                                                                                      PID:800
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                        47⤵
                                                                                                                                                          PID:600
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                            48⤵
                                                                                                                                                              PID:2088
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                49⤵
                                                                                                                                                                  PID:1144
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                    50⤵
                                                                                                                                                                      PID:2736
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                        51⤵
                                                                                                                                                                          PID:1612
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                            52⤵
                                                                                                                                                                              PID:1520
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                53⤵
                                                                                                                                                                                  PID:1896
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                    54⤵
                                                                                                                                                                                      PID:2060
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                        55⤵
                                                                                                                                                                                          PID:2068
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                            56⤵
                                                                                                                                                                                              PID:348
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                57⤵
                                                                                                                                                                                                  PID:1900
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                    58⤵
                                                                                                                                                                                                      PID:1396
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                        59⤵
                                                                                                                                                                                                          PID:1224
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                            60⤵
                                                                                                                                                                                                              PID:2092
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                                61⤵
                                                                                                                                                                                                                  PID:2596
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                                    62⤵
                                                                                                                                                                                                                      PID:2112
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                                        63⤵
                                                                                                                                                                                                                          PID:2284
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                                            64⤵
                                                                                                                                                                                                                              PID:2708
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                                                65⤵
                                                                                                                                                                                                                                  PID:448
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                                                    66⤵
                                                                                                                                                                                                                                      PID:1592
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                                                        67⤵
                                                                                                                                                                                                                                          PID:1884
                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                                                            68⤵
                                                                                                                                                                                                                                              PID:2348
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                                                                69⤵
                                                                                                                                                                                                                                                  PID:2868
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                                                                    70⤵
                                                                                                                                                                                                                                                      PID:1116
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                                                                        71⤵
                                                                                                                                                                                                                                                          PID:1720
                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                          71⤵
                                                                                                                                                                                                                                                            PID:1636
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                            71⤵
                                                                                                                                                                                                                                                              PID:2688
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                72⤵
                                                                                                                                                                                                                                                                  PID:2596
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                              70⤵
                                                                                                                                                                                                                                                                PID:2728
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                70⤵
                                                                                                                                                                                                                                                                  PID:2088
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                    71⤵
                                                                                                                                                                                                                                                                      PID:1700
                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                  69⤵
                                                                                                                                                                                                                                                                    PID:2860
                                                                                                                                                                                                                                                                    • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                      "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                      70⤵
                                                                                                                                                                                                                                                                        PID:2840
                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                      69⤵
                                                                                                                                                                                                                                                                        PID:2572
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                          70⤵
                                                                                                                                                                                                                                                                            PID:2104
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                              cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                              71⤵
                                                                                                                                                                                                                                                                                PID:1188
                                                                                                                                                                                                                                                                                • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                  "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                  72⤵
                                                                                                                                                                                                                                                                                    PID:2780
                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                            68⤵
                                                                                                                                                                                                                                                                              PID:2060
                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                              68⤵
                                                                                                                                                                                                                                                                                PID:2760
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                  69⤵
                                                                                                                                                                                                                                                                                    PID:2804
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                      cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                      70⤵
                                                                                                                                                                                                                                                                                        PID:1628
                                                                                                                                                                                                                                                                                        • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                          "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                          71⤵
                                                                                                                                                                                                                                                                                            PID:2628
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                    67⤵
                                                                                                                                                                                                                                                                                      PID:2884
                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                        "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                        68⤵
                                                                                                                                                                                                                                                                                          PID:3020
                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                        67⤵
                                                                                                                                                                                                                                                                                          PID:1952
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                            68⤵
                                                                                                                                                                                                                                                                                              PID:468
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                69⤵
                                                                                                                                                                                                                                                                                                  PID:2644
                                                                                                                                                                                                                                                                                                  • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                    "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                    70⤵
                                                                                                                                                                                                                                                                                                      PID:328
                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                              66⤵
                                                                                                                                                                                                                                                                                                PID:2968
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                66⤵
                                                                                                                                                                                                                                                                                                  PID:2520
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                    67⤵
                                                                                                                                                                                                                                                                                                      PID:2564
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                        cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                        68⤵
                                                                                                                                                                                                                                                                                                          PID:2280
                                                                                                                                                                                                                                                                                                          • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                            "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                            69⤵
                                                                                                                                                                                                                                                                                                              PID:848
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                      65⤵
                                                                                                                                                                                                                                                                                                        PID:2696
                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                          "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                          66⤵
                                                                                                                                                                                                                                                                                                            PID:600
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                          65⤵
                                                                                                                                                                                                                                                                                                            PID:2700
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                              66⤵
                                                                                                                                                                                                                                                                                                                PID:2988
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                  cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                  67⤵
                                                                                                                                                                                                                                                                                                                    PID:1588
                                                                                                                                                                                                                                                                                                                    • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                      "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                      68⤵
                                                                                                                                                                                                                                                                                                                        PID:2444
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                64⤵
                                                                                                                                                                                                                                                                                                                  PID:2300
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                  64⤵
                                                                                                                                                                                                                                                                                                                    PID:2952
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                      65⤵
                                                                                                                                                                                                                                                                                                                        PID:868
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                          cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                          66⤵
                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                          PID:2020
                                                                                                                                                                                                                                                                                                                          • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                            "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                            67⤵
                                                                                                                                                                                                                                                                                                                              PID:1380
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                      63⤵
                                                                                                                                                                                                                                                                                                                        PID:1896
                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                          "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                          64⤵
                                                                                                                                                                                                                                                                                                                            PID:2160
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                          63⤵
                                                                                                                                                                                                                                                                                                                            PID:1796
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                              64⤵
                                                                                                                                                                                                                                                                                                                                PID:2704
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                  cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                  65⤵
                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                  PID:312
                                                                                                                                                                                                                                                                                                                                  • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                    "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                    66⤵
                                                                                                                                                                                                                                                                                                                                      PID:2272
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                              62⤵
                                                                                                                                                                                                                                                                                                                                PID:1060
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                62⤵
                                                                                                                                                                                                                                                                                                                                  PID:2504
                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                    63⤵
                                                                                                                                                                                                                                                                                                                                      PID:304
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                        cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                        64⤵
                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                        PID:2916
                                                                                                                                                                                                                                                                                                                                        • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                          "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                          65⤵
                                                                                                                                                                                                                                                                                                                                            PID:1756
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                    61⤵
                                                                                                                                                                                                                                                                                                                                      PID:1444
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                        "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                        62⤵
                                                                                                                                                                                                                                                                                                                                          PID:2812
                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                        61⤵
                                                                                                                                                                                                                                                                                                                                          PID:1248
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                            62⤵
                                                                                                                                                                                                                                                                                                                                              PID:2524
                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                63⤵
                                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                PID:2192
                                                                                                                                                                                                                                                                                                                                                • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                  64⤵
                                                                                                                                                                                                                                                                                                                                                    PID:2808
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                            60⤵
                                                                                                                                                                                                                                                                                                                                              PID:612
                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                              60⤵
                                                                                                                                                                                                                                                                                                                                                PID:1724
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                  61⤵
                                                                                                                                                                                                                                                                                                                                                    PID:640
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                      cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                      62⤵
                                                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                      PID:2536
                                                                                                                                                                                                                                                                                                                                                      • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                        63⤵
                                                                                                                                                                                                                                                                                                                                                          PID:2628
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                  59⤵
                                                                                                                                                                                                                                                                                                                                                    PID:2484
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                      "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                      60⤵
                                                                                                                                                                                                                                                                                                                                                        PID:2184
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                      59⤵
                                                                                                                                                                                                                                                                                                                                                        PID:2356
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                          60⤵
                                                                                                                                                                                                                                                                                                                                                            PID:2588
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                              cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                              61⤵
                                                                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                              PID:896
                                                                                                                                                                                                                                                                                                                                                              • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                62⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:1752
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                          58⤵
                                                                                                                                                                                                                                                                                                                                                            PID:2812
                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                            58⤵
                                                                                                                                                                                                                                                                                                                                                              PID:1624
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                59⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:2700
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                    cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                    60⤵
                                                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                    PID:564
                                                                                                                                                                                                                                                                                                                                                                    • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                      61⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:2608
                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                57⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:2552
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                    "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                    58⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:2876
                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                    57⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:2604
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                        58⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:1932
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                            cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                            59⤵
                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                            PID:2060
                                                                                                                                                                                                                                                                                                                                                                            • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                              60⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:2936
                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                        56⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:3036
                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                          56⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:848
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                              57⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:2584
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                  cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                  58⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                  PID:2740
                                                                                                                                                                                                                                                                                                                                                                                  • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                    "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                    59⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:1540
                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                              55⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:2056
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                  "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                  56⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:1612
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                  55⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:984
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                      56⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:2504
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                          cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                          57⤵
                                                                                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                          PID:1920
                                                                                                                                                                                                                                                                                                                                                                                          • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                            "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                            58⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:2400
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                      54⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:912
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                        54⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:2744
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                            55⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:2968
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                56⤵
                                                                                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                PID:2904
                                                                                                                                                                                                                                                                                                                                                                                                • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                  "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                  57⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:2916
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                            53⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:2848
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                54⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:2144
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                53⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:2684
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                    54⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:2864
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                        cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                        55⤵
                                                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                        PID:2708
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                          56⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:2004
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                    52⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:2984
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                      52⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:2540
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                          53⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:3056
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                              cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                              54⤵
                                                                                                                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                              PID:1936
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                55⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:780
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                          51⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:2528
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                              52⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:1804
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                              51⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:2940
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                  52⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2220
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                      53⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2436
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                        54⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2844
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                  50⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2660
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                    50⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2044
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                        51⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1260
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                            52⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3008
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                              53⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1328
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                        49⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:568
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                            50⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1672
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                            49⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2932
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                50⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2032
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                    51⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2092
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                      52⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2724
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                48⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1444
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                  48⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2564
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                      49⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1664
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                          50⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1580
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                            51⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1620
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                      47⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3068
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                          48⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1364
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                          47⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2780
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                              48⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2520
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                  49⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2812
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                    50⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2948
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                              46⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2432
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                46⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2176
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                    47⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2756
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                        48⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2572
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                          49⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1964
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                    45⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2488
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                        46⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:468
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                        45⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2084
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                            46⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3032
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                47⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2456
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  48⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2920
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                            44⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1664
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                              44⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1312
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  45⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2612
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      46⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1936
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        47⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1872
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  43⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1892
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      44⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1144
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      43⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          44⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2356
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              45⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2976
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                46⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:816
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          42⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2640
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            42⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3036
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                43⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1548
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    44⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1784
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      45⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1308
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                41⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2748
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    42⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3020
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    41⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:960
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        42⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1056
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            43⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1996
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              44⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1528
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        40⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1680
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          40⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2512
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              41⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2696
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  42⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1984
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    43⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1540
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              39⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1248
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  40⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2660
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  39⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1808
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      40⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1668
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          41⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2440
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            42⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2664
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      38⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:312
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        38⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1716
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            39⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1500
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                40⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1728
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  41⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2308
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            37⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2016
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                38⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                37⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1628
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    38⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2840
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        39⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:448
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          40⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1976
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    36⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1624
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      36⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2660
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          37⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2932
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              38⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1872
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                39⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          35⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:304
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              36⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2312
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              35⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1748
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  36⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1284
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      37⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2716
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        38⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2436
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  34⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2188
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    34⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1660
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        35⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            36⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2268
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              37⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3012
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        33⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            34⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1440
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            33⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2716
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                34⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2612
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    35⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1212
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      36⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2924
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2660
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1712
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      33⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2680
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          34⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2588
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            35⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1344
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      31⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2184
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1228
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          31⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1284
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1208
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  33⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3064
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    34⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2340
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2992
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1564
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    31⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:840
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:772
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          33⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1804
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    29⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2880
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        29⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1664
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2212
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                31⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2532
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  32⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2428
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            28⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1624
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              28⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2932
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  29⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2000
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        31⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1556
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  27⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:808
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      28⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1548
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      27⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:768
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          28⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2424
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              29⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2068
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                30⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:668
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          26⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1668
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            26⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2500
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                27⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2988
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    28⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3032
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      29⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2604
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                25⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1020
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    26⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2704
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    25⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2484
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        26⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2576
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            27⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2024
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              28⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2720
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        24⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1692
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          24⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1212
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              25⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2544
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  26⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    27⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2860
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              23⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1920
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  24⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  23⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      24⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2208
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          25⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2792
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            26⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2868
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      22⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:276
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        22⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2988
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            23⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2852
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                24⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1228
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  25⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2596
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                22⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2760
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2576
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    22⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1644
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        23⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1436
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          24⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2724
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    20⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1664
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      20⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2220
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              22⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:320
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                23⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2444
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1636
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              20⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2676
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2872
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  20⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:880
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1100
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        22⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2388
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  18⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2200
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  18⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2852
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2020
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          20⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1860
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            21⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1300
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3008
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        18⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1880
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1440
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          18⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:328
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1356
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                20⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2100
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2756
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2544
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:768
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                18⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1616
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  19⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2704
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            15⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:304
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1812
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              15⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1356
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1776
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:816
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      18⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2792
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2856
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:840
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                15⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2348
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2652
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      17⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1056
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2328
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2236
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      15⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2548
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        16⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2532
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:768
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1156
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2760
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        15⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2748
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1696
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1248
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1392
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2552
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          14⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1480
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2580
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1888
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:680
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3040
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          13⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2224
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2564
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2572
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2756
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2840
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            12⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2080
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1608
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2472
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2416
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            11⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1864
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1872
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2972
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1604
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2720
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2436
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1668
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1540
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:816
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2928
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2400
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2744
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:284
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2024
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2560
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2696
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2904
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2624
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1300
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1616
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1520
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3012
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2580
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1500
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1996
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2604
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2680
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2212
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2068
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\WinRAR\UnZiper.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\WinRAR\UnZiper.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1688

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraB.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    97bec430634bb8e59d4273c9a395a702

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a8a04f26cec00ef32501ebe35252d08aaa7e3634

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    57a2fe6374ced2c9c7e2be59d3eca0815188778308e59295d6a868d3e5c4237e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8563d6608337071a89f7b0b7739001a456be19c51dea0f715317c6dbfce9986c59527f39ec7cdcc71007abdd8955996d26835105712e80cd700e086b8d1165a9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    084ab0f114778618e30666e451581845

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0013eacb10d1f89dff71296defa5db17704d3347

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8cf0041d9b5a8ab1fa037c475de20ba1389711d9d4e80fb9638138840f28c649

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0c20196d8810e5c05c1b0b284804c7aa5f05a41bdcf19eb3c983702f8b176fb6e4000e3b3b2ec1da9f8973c9bc0feca9e4446817731104d174c0ba1fdd85cd06

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\dIIhost.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    231KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c05f91c69a98089ded3951424da86771

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0c4c6437efad5f0e1e3e290fb0a9c069cd4a86ed

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    94c820d3a1216c2ea30f7960f60d8324399a522d3e090711aafc6f5d0b860ac5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3ba5631dcc8b839ec1d75a408b10047c3a6713791caa5b7d0fa4df69fcd264df50424404d410727c532de77fc95c082faad3cebae1637c87a146c9bf5979fcc7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\WinRAR\jLO855Jnqn959BA8qy.bat

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    23B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cbad1e030a37190ced948f45d7582691

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    b1590dc4a67cd1b56b6b0ff42d48325de7bb8ea5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    8d910a7da0bc8d3baf495648cc0fef5391e8d7486cfc027827d3828a488f7571

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ce98091245080506c15afd1eba8847e410b43c689ef38b4c971881a0888588cbac39234d73f783ad4f4f113c7fe07d066d4f5e1a2181854b70a032f4308fca92

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    201B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    fb6995d84ff8765f8985b39021495a02

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    da911e465774c0769bc5b6fb10801c08e769b607

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    048d54b81f8126090f61d30d736d677fe62a4eb683b5a7618c91020e7fc10ff5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ea763e3864f726cd58979dee75100cce8692e81ca67fbbcf863f5244c7a127580b71588a2675bc108599109e8e77af7351f85900d0afb65acb98eeb4100632db

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • \WinRAR\UnZiper.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    c06bb1f0ea507c8d8767f269725df3c0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9555e62e99b3bd5af80e7870ab15c38dc97c1757

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    43d0e85345ce2caf4c9b2805c7e5da6a6f7c523f256a46cfeebea9a0eb4f5dce

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    0a14e81ab09263b75f4be83f11cfcd1e9bc903d22aeeae0bf797a97bb261e5700a55bcc3e65ff48a41c01170686e42a756bfabb1769d0efd2b58e62d83bb6197

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/304-282-0x0000000000210000-0x0000000000250000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/304-166-0x0000000000A50000-0x0000000000A90000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/568-366-0x0000000000200000-0x0000000000240000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/808-237-0x0000000000B10000-0x0000000000B50000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/912-274-0x0000000000290000-0x00000000002D0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1020-222-0x0000000000350000-0x0000000000390000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1056-150-0x0000000000140000-0x0000000000180000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1248-306-0x0000000000EC0000-0x0000000000F00000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1444-441-0x0000000000E00000-0x0000000000E40000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1636-16-0x0000000001140000-0x00000000012F2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.7MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1636-13-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1636-38-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1636-186-0x0000000000DD0000-0x0000000000E10000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1636-501-0x0000000000E50000-0x0000000000E90000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1688-67-0x00000000003C0000-0x00000000003CE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    56KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1688-66-0x0000000001330000-0x0000000001502000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1696-137-0x0000000000B80000-0x0000000000BC0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1872-86-0x0000000000D10000-0x0000000000D50000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1892-331-0x0000000001120000-0x0000000001160000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1896-449-0x00000000008D0000-0x0000000000910000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1920-213-0x0000000000010000-0x0000000000050000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1928-1-0x0000000000C60000-0x0000000000FBC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    3.4MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1928-21-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1928-0-0x000007FEF5953000-0x000007FEF5954000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1928-4-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    9.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/1996-17-0x0000000001250000-0x0000000001290000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2016-298-0x00000000010D0000-0x0000000001110000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2184-259-0x00000000001C0000-0x0000000000200000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2484-429-0x0000000000E60000-0x0000000000EA0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2488-344-0x0000000000320000-0x0000000000360000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2528-378-0x0000000000870000-0x00000000008B0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2552-413-0x0000000000D30000-0x0000000000D70000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2564-111-0x00000000003B0000-0x00000000003F0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2696-465-0x0000000000A10000-0x0000000000A50000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2744-56-0x0000000000F50000-0x0000000000F90000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2748-318-0x0000000001390000-0x00000000013D0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2796-201-0x0000000001350000-0x0000000001390000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2848-394-0x00000000008B0000-0x00000000008F0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2860-489-0x0000000000A60000-0x0000000000AA0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2880-248-0x0000000000800000-0x0000000000840000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/2884-473-0x00000000011A0000-0x00000000011E0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3008-174-0x0000000000B50000-0x0000000000B90000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • memory/3068-356-0x0000000000110000-0x0000000000150000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    256KB