Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 04:50
Static task
static1
Behavioral task
behavioral1
Sample
862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe
-
Size
3.3MB
-
MD5
931767ee5322f0d8a22acb26374ef000
-
SHA1
eac51a96586271fde6ab226db3f3bdbfd1f72111
-
SHA256
862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06
-
SHA512
a790213cbe56e1cdc737af9c6a7176a277b04767eba3b9f99102c71d227d1b28696baaa4515f2844fd09e9b9ea6c106557aa24c6471b4f47d68715ce44e041d0
-
SSDEEP
49152:Zrd5oJBLERqgc7qzy0n1Ta80kXELz5oxr9WROea5CbEo51TMkqCZBO:hd5n3c0fnlb0kXyz59haG95lNqCZBO
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1250787707550957639/phhFYZ2a-1NpRCeFahlBjdnI6gpjCVkQ5Tb8tUGijytYKG4ngP94NUb-cNzVfynZwdY8
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Umbral payload 35 IoCs
resource yara_rule behavioral1/files/0x002d000000015eaf-15.dat family_umbral behavioral1/memory/1996-17-0x0000000001250000-0x0000000001290000-memory.dmp family_umbral behavioral1/memory/2744-56-0x0000000000F50000-0x0000000000F90000-memory.dmp family_umbral behavioral1/memory/1872-86-0x0000000000D10000-0x0000000000D50000-memory.dmp family_umbral behavioral1/memory/2564-111-0x00000000003B0000-0x00000000003F0000-memory.dmp family_umbral behavioral1/memory/1696-137-0x0000000000B80000-0x0000000000BC0000-memory.dmp family_umbral behavioral1/memory/1056-150-0x0000000000140000-0x0000000000180000-memory.dmp family_umbral behavioral1/memory/304-166-0x0000000000A50000-0x0000000000A90000-memory.dmp family_umbral behavioral1/memory/3008-174-0x0000000000B50000-0x0000000000B90000-memory.dmp family_umbral behavioral1/memory/1636-186-0x0000000000DD0000-0x0000000000E10000-memory.dmp family_umbral behavioral1/memory/2796-201-0x0000000001350000-0x0000000001390000-memory.dmp family_umbral behavioral1/memory/1920-213-0x0000000000010000-0x0000000000050000-memory.dmp family_umbral behavioral1/memory/1020-222-0x0000000000350000-0x0000000000390000-memory.dmp family_umbral behavioral1/memory/808-237-0x0000000000B10000-0x0000000000B50000-memory.dmp family_umbral behavioral1/memory/2880-248-0x0000000000800000-0x0000000000840000-memory.dmp family_umbral behavioral1/memory/2184-259-0x00000000001C0000-0x0000000000200000-memory.dmp family_umbral behavioral1/memory/912-274-0x0000000000290000-0x00000000002D0000-memory.dmp family_umbral behavioral1/memory/304-282-0x0000000000210000-0x0000000000250000-memory.dmp family_umbral behavioral1/memory/2016-298-0x00000000010D0000-0x0000000001110000-memory.dmp family_umbral behavioral1/memory/1248-306-0x0000000000EC0000-0x0000000000F00000-memory.dmp family_umbral behavioral1/memory/2748-318-0x0000000001390000-0x00000000013D0000-memory.dmp family_umbral behavioral1/memory/1892-331-0x0000000001120000-0x0000000001160000-memory.dmp family_umbral behavioral1/memory/2488-344-0x0000000000320000-0x0000000000360000-memory.dmp family_umbral behavioral1/memory/3068-356-0x0000000000110000-0x0000000000150000-memory.dmp family_umbral behavioral1/memory/568-366-0x0000000000200000-0x0000000000240000-memory.dmp family_umbral behavioral1/memory/2528-378-0x0000000000870000-0x00000000008B0000-memory.dmp family_umbral behavioral1/memory/2848-394-0x00000000008B0000-0x00000000008F0000-memory.dmp family_umbral behavioral1/memory/2552-413-0x0000000000D30000-0x0000000000D70000-memory.dmp family_umbral behavioral1/memory/2484-429-0x0000000000E60000-0x0000000000EA0000-memory.dmp family_umbral behavioral1/memory/1444-441-0x0000000000E00000-0x0000000000E40000-memory.dmp family_umbral behavioral1/memory/1896-449-0x00000000008D0000-0x0000000000910000-memory.dmp family_umbral behavioral1/memory/2696-465-0x0000000000A10000-0x0000000000A50000-memory.dmp family_umbral behavioral1/memory/2884-473-0x00000000011A0000-0x00000000011E0000-memory.dmp family_umbral behavioral1/memory/2860-489-0x0000000000A60000-0x0000000000AA0000-memory.dmp family_umbral behavioral1/memory/1636-501-0x0000000000E50000-0x0000000000E90000-memory.dmp family_umbral -
resource yara_rule behavioral1/files/0x002c000000015f6d-20.dat dcrat behavioral1/files/0x0007000000016572-62.dat dcrat behavioral1/memory/1688-66-0x0000000001330000-0x0000000001502000-memory.dmp dcrat -
Executes dropped EXE 64 IoCs
pid Process 1636 SolaraBootstrapper.exe 1996 dIIhost.exe 2680 SolaraB.exe 2400 SolaraBootstrapper.exe 1520 dIIhost.exe 3012 SolaraB.exe 2924 SolaraBootstrapper.exe 2904 dIIhost.exe 2624 SolaraB.exe 2752 SolaraBootstrapper.exe 2744 dIIhost.exe 1116 SolaraB.exe 1688 UnZiper.exe 1500 UnZiper.exe 1988 SolaraBootstrapper.exe 1668 dIIhost.exe 1540 SolaraB.exe 1940 UnZiper.exe 896 SolaraBootstrapper.exe 1872 dIIhost.exe 1604 SolaraB.exe 2696 UnZiper.exe 2512 SolaraBootstrapper.exe 1608 dIIhost.exe 2472 SolaraB.exe 2400 UnZiper.exe 1060 SolaraBootstrapper.exe 2564 dIIhost.exe 2572 SolaraB.exe 2436 UnZiper.exe 2796 SolaraBootstrapper.exe 2580 dIIhost.exe 1888 SolaraB.exe 1864 UnZiper.exe 1492 SolaraBootstrapper.exe 1696 dIIhost.exe 1248 SolaraB.exe 2080 UnZiper.exe 2732 SolaraBootstrapper.exe 768 dIIhost.exe 1156 SolaraB.exe 2224 UnZiper.exe 632 SolaraBootstrapper.exe 1056 dIIhost.exe 2092 SolaraB.exe 1480 UnZiper.exe 2260 SolaraBootstrapper.exe 2856 dIIhost.exe 840 SolaraB.exe 2748 UnZiper.exe 1288 SolaraBootstrapper.exe 304 dIIhost.exe 1356 SolaraB.exe 2532 UnZiper.exe 2492 SolaraBootstrapper.exe 2756 dIIhost.exe 2544 SolaraB.exe 2912 UnZiper.exe 1704 SolaraBootstrapper.exe 3008 dIIhost.exe 1440 SolaraB.exe 2792 UnZiper.exe 2208 SolaraBootstrapper.exe 2200 dIIhost.exe -
Loads dropped DLL 64 IoCs
pid Process 2068 cmd.exe 2068 cmd.exe 3028 cmd.exe 1616 cmd.exe 2560 cmd.exe 2928 cmd.exe 1116 cmd.exe 1912 cmd.exe 2840 cmd.exe 3040 cmd.exe 2552 cmd.exe 2760 cmd.exe 2548 cmd.exe 2652 cmd.exe 816 cmd.exe 1616 cmd.exe 1356 cmd.exe 1860 cmd.exe 1100 cmd.exe 320 cmd.exe 1436 cmd.exe 1228 cmd.exe 2792 cmd.exe 1952 cmd.exe 2024 cmd.exe 3032 cmd.exe 2068 cmd.exe 2000 cmd.exe 2532 cmd.exe 772 cmd.exe 3064 cmd.exe 2588 cmd.exe 1212 cmd.exe 2268 cmd.exe 2716 cmd.exe 1872 cmd.exe 448 cmd.exe 1728 cmd.exe 2440 cmd.exe 1984 cmd.exe 1996 cmd.exe 1784 cmd.exe 2976 cmd.exe 1936 cmd.exe 2456 cmd.exe 2572 cmd.exe 2812 cmd.exe 1580 cmd.exe 2092 cmd.exe 3008 cmd.exe 2436 cmd.exe 1936 cmd.exe 2708 cmd.exe 2904 cmd.exe 1920 cmd.exe 2740 cmd.exe 2060 cmd.exe 564 cmd.exe 896 cmd.exe 2536 cmd.exe 2192 cmd.exe 2916 cmd.exe 312 cmd.exe 2020 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1996 dIIhost.exe Token: SeIncreaseQuotaPrivilege 2604 wmic.exe Token: SeSecurityPrivilege 2604 wmic.exe Token: SeTakeOwnershipPrivilege 2604 wmic.exe Token: SeLoadDriverPrivilege 2604 wmic.exe Token: SeSystemProfilePrivilege 2604 wmic.exe Token: SeSystemtimePrivilege 2604 wmic.exe Token: SeProfSingleProcessPrivilege 2604 wmic.exe Token: SeIncBasePriorityPrivilege 2604 wmic.exe Token: SeCreatePagefilePrivilege 2604 wmic.exe Token: SeBackupPrivilege 2604 wmic.exe Token: SeRestorePrivilege 2604 wmic.exe Token: SeShutdownPrivilege 2604 wmic.exe Token: SeDebugPrivilege 2604 wmic.exe Token: SeSystemEnvironmentPrivilege 2604 wmic.exe Token: SeRemoteShutdownPrivilege 2604 wmic.exe Token: SeUndockPrivilege 2604 wmic.exe Token: SeManageVolumePrivilege 2604 wmic.exe Token: 33 2604 wmic.exe Token: 34 2604 wmic.exe Token: 35 2604 wmic.exe Token: SeIncreaseQuotaPrivilege 2604 wmic.exe Token: SeSecurityPrivilege 2604 wmic.exe Token: SeTakeOwnershipPrivilege 2604 wmic.exe Token: SeLoadDriverPrivilege 2604 wmic.exe Token: SeSystemProfilePrivilege 2604 wmic.exe Token: SeSystemtimePrivilege 2604 wmic.exe Token: SeProfSingleProcessPrivilege 2604 wmic.exe Token: SeIncBasePriorityPrivilege 2604 wmic.exe Token: SeCreatePagefilePrivilege 2604 wmic.exe Token: SeBackupPrivilege 2604 wmic.exe Token: SeRestorePrivilege 2604 wmic.exe Token: SeShutdownPrivilege 2604 wmic.exe Token: SeDebugPrivilege 2604 wmic.exe Token: SeSystemEnvironmentPrivilege 2604 wmic.exe Token: SeRemoteShutdownPrivilege 2604 wmic.exe Token: SeUndockPrivilege 2604 wmic.exe Token: SeManageVolumePrivilege 2604 wmic.exe Token: 33 2604 wmic.exe Token: 34 2604 wmic.exe Token: 35 2604 wmic.exe Token: SeDebugPrivilege 2744 dIIhost.exe Token: SeDebugPrivilege 1688 UnZiper.exe Token: SeDebugPrivilege 1500 UnZiper.exe Token: SeIncreaseQuotaPrivilege 284 wmic.exe Token: SeSecurityPrivilege 284 wmic.exe Token: SeTakeOwnershipPrivilege 284 wmic.exe Token: SeLoadDriverPrivilege 284 wmic.exe Token: SeSystemProfilePrivilege 284 wmic.exe Token: SeSystemtimePrivilege 284 wmic.exe Token: SeProfSingleProcessPrivilege 284 wmic.exe Token: SeIncBasePriorityPrivilege 284 wmic.exe Token: SeCreatePagefilePrivilege 284 wmic.exe Token: SeBackupPrivilege 284 wmic.exe Token: SeRestorePrivilege 284 wmic.exe Token: SeShutdownPrivilege 284 wmic.exe Token: SeDebugPrivilege 284 wmic.exe Token: SeSystemEnvironmentPrivilege 284 wmic.exe Token: SeRemoteShutdownPrivilege 284 wmic.exe Token: SeUndockPrivilege 284 wmic.exe Token: SeManageVolumePrivilege 284 wmic.exe Token: 33 284 wmic.exe Token: 34 284 wmic.exe Token: 35 284 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1928 wrote to memory of 1636 1928 862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe 28 PID 1928 wrote to memory of 1636 1928 862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe 28 PID 1928 wrote to memory of 1636 1928 862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe 28 PID 1928 wrote to memory of 1996 1928 862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe 29 PID 1928 wrote to memory of 1996 1928 862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe 29 PID 1928 wrote to memory of 1996 1928 862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe 29 PID 1928 wrote to memory of 2680 1928 862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe 30 PID 1928 wrote to memory of 2680 1928 862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe 30 PID 1928 wrote to memory of 2680 1928 862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe 30 PID 1928 wrote to memory of 2680 1928 862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe 30 PID 2680 wrote to memory of 2212 2680 SolaraB.exe 31 PID 2680 wrote to memory of 2212 2680 SolaraB.exe 31 PID 2680 wrote to memory of 2212 2680 SolaraB.exe 31 PID 2680 wrote to memory of 2212 2680 SolaraB.exe 31 PID 1636 wrote to memory of 2400 1636 SolaraBootstrapper.exe 32 PID 1636 wrote to memory of 2400 1636 SolaraBootstrapper.exe 32 PID 1636 wrote to memory of 2400 1636 SolaraBootstrapper.exe 32 PID 1636 wrote to memory of 1520 1636 SolaraBootstrapper.exe 33 PID 1636 wrote to memory of 1520 1636 SolaraBootstrapper.exe 33 PID 1636 wrote to memory of 1520 1636 SolaraBootstrapper.exe 33 PID 1636 wrote to memory of 3012 1636 SolaraBootstrapper.exe 34 PID 1636 wrote to memory of 3012 1636 SolaraBootstrapper.exe 34 PID 1636 wrote to memory of 3012 1636 SolaraBootstrapper.exe 34 PID 1636 wrote to memory of 3012 1636 SolaraBootstrapper.exe 34 PID 3012 wrote to memory of 2580 3012 SolaraB.exe 35 PID 3012 wrote to memory of 2580 3012 SolaraB.exe 35 PID 3012 wrote to memory of 2580 3012 SolaraB.exe 35 PID 3012 wrote to memory of 2580 3012 SolaraB.exe 35 PID 2400 wrote to memory of 2924 2400 SolaraBootstrapper.exe 36 PID 2400 wrote to memory of 2924 2400 SolaraBootstrapper.exe 36 PID 2400 wrote to memory of 2924 2400 SolaraBootstrapper.exe 36 PID 2400 wrote to memory of 2904 2400 SolaraBootstrapper.exe 37 PID 2400 wrote to memory of 2904 2400 SolaraBootstrapper.exe 37 PID 2400 wrote to memory of 2904 2400 SolaraBootstrapper.exe 37 PID 2400 wrote to memory of 2624 2400 SolaraBootstrapper.exe 38 PID 2400 wrote to memory of 2624 2400 SolaraBootstrapper.exe 38 PID 2400 wrote to memory of 2624 2400 SolaraBootstrapper.exe 38 PID 2400 wrote to memory of 2624 2400 SolaraBootstrapper.exe 38 PID 2624 wrote to memory of 1300 2624 SolaraB.exe 39 PID 2624 wrote to memory of 1300 2624 SolaraB.exe 39 PID 2624 wrote to memory of 1300 2624 SolaraB.exe 39 PID 2624 wrote to memory of 1300 2624 SolaraB.exe 39 PID 1996 wrote to memory of 2604 1996 dIIhost.exe 40 PID 1996 wrote to memory of 2604 1996 dIIhost.exe 40 PID 1996 wrote to memory of 2604 1996 dIIhost.exe 40 PID 2924 wrote to memory of 2752 2924 SolaraBootstrapper.exe 43 PID 2924 wrote to memory of 2752 2924 SolaraBootstrapper.exe 43 PID 2924 wrote to memory of 2752 2924 SolaraBootstrapper.exe 43 PID 2924 wrote to memory of 2744 2924 SolaraBootstrapper.exe 44 PID 2924 wrote to memory of 2744 2924 SolaraBootstrapper.exe 44 PID 2924 wrote to memory of 2744 2924 SolaraBootstrapper.exe 44 PID 2924 wrote to memory of 1116 2924 SolaraBootstrapper.exe 45 PID 2924 wrote to memory of 1116 2924 SolaraBootstrapper.exe 45 PID 2924 wrote to memory of 1116 2924 SolaraBootstrapper.exe 45 PID 2924 wrote to memory of 1116 2924 SolaraBootstrapper.exe 45 PID 1116 wrote to memory of 2024 1116 SolaraB.exe 46 PID 1116 wrote to memory of 2024 1116 SolaraB.exe 46 PID 1116 wrote to memory of 2024 1116 SolaraB.exe 46 PID 1116 wrote to memory of 2024 1116 SolaraB.exe 46 PID 2212 wrote to memory of 2068 2212 WScript.exe 47 PID 2212 wrote to memory of 2068 2212 WScript.exe 47 PID 2212 wrote to memory of 2068 2212 WScript.exe 47 PID 2212 wrote to memory of 2068 2212 WScript.exe 47 PID 2068 wrote to memory of 1688 2068 cmd.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"5⤵
- Executes dropped EXE
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"6⤵
- Executes dropped EXE
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"7⤵
- Executes dropped EXE
PID:896 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"8⤵
- Executes dropped EXE
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"9⤵
- Executes dropped EXE
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"10⤵
- Executes dropped EXE
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"11⤵
- Executes dropped EXE
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"12⤵
- Executes dropped EXE
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"13⤵
- Executes dropped EXE
PID:632 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"14⤵
- Executes dropped EXE
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"15⤵
- Executes dropped EXE
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"16⤵
- Executes dropped EXE
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"17⤵
- Executes dropped EXE
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"18⤵
- Executes dropped EXE
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"19⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"20⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"21⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"22⤵PID:2108
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"23⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"24⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"25⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"26⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"27⤵PID:568
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"28⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"29⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"30⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"31⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"32⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"33⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"34⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"35⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"36⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"37⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"38⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"39⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"40⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"41⤵PID:2764
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"42⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"43⤵PID:2228
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"44⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"45⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"46⤵PID:800
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"47⤵PID:600
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"48⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"49⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"50⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"51⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"52⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"53⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"54⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"55⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"56⤵PID:348
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"57⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"58⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"59⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"60⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"61⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"62⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"63⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"64⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"65⤵PID:448
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"66⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"67⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"68⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"69⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"70⤵PID:1116
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"71⤵PID:1720
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"71⤵PID:1636
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"71⤵PID:2688
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"72⤵PID:2596
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"70⤵PID:2728
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"70⤵PID:2088
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"71⤵PID:1700
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"69⤵PID:2860
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid70⤵PID:2840
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"69⤵PID:2572
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"70⤵PID:2104
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "71⤵PID:1188
-
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"72⤵PID:2780
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"68⤵PID:2060
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"68⤵PID:2760
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"69⤵PID:2804
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "70⤵PID:1628
-
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"71⤵PID:2628
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"67⤵PID:2884
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid68⤵PID:3020
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"67⤵PID:1952
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"68⤵PID:468
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "69⤵PID:2644
-
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"70⤵PID:328
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"66⤵PID:2968
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"66⤵PID:2520
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"67⤵PID:2564
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "68⤵PID:2280
-
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"69⤵PID:848
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"65⤵PID:2696
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid66⤵PID:600
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"65⤵PID:2700
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"66⤵PID:2988
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "67⤵PID:1588
-
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"68⤵PID:2444
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"64⤵PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"64⤵PID:2952
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"65⤵PID:868
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "66⤵
- Loads dropped DLL
PID:2020 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"67⤵PID:1380
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"63⤵PID:1896
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid64⤵PID:2160
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"63⤵PID:1796
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"64⤵PID:2704
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "65⤵
- Loads dropped DLL
PID:312 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"66⤵PID:2272
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"62⤵PID:1060
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"62⤵PID:2504
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"63⤵PID:304
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "64⤵
- Loads dropped DLL
PID:2916 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"65⤵PID:1756
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"61⤵PID:1444
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid62⤵PID:2812
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"61⤵PID:1248
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"62⤵PID:2524
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "63⤵
- Loads dropped DLL
PID:2192 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"64⤵PID:2808
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"60⤵PID:612
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"60⤵PID:1724
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"61⤵PID:640
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "62⤵
- Loads dropped DLL
PID:2536 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"63⤵PID:2628
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"59⤵PID:2484
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid60⤵PID:2184
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"59⤵PID:2356
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"60⤵PID:2588
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "61⤵
- Loads dropped DLL
PID:896 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"62⤵PID:1752
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"58⤵PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"58⤵PID:1624
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"59⤵PID:2700
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "60⤵
- Loads dropped DLL
PID:564 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"61⤵PID:2608
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"57⤵PID:2552
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid58⤵PID:2876
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"57⤵PID:2604
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"58⤵PID:1932
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "59⤵
- Loads dropped DLL
PID:2060 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"60⤵PID:2936
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"56⤵PID:3036
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"56⤵PID:848
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"57⤵PID:2584
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "58⤵
- Loads dropped DLL
PID:2740 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"59⤵PID:1540
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"55⤵PID:2056
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid56⤵PID:1612
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"55⤵PID:984
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"56⤵PID:2504
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "57⤵
- Loads dropped DLL
PID:1920 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"58⤵PID:2400
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"54⤵PID:912
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"54⤵PID:2744
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"55⤵PID:2968
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "56⤵
- Loads dropped DLL
PID:2904 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"57⤵PID:2916
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"53⤵PID:2848
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid54⤵PID:2144
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"53⤵PID:2684
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"54⤵PID:2864
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "55⤵
- Loads dropped DLL
PID:2708 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"56⤵PID:2004
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"52⤵PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"52⤵PID:2540
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"53⤵PID:3056
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "54⤵
- Loads dropped DLL
PID:1936 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"55⤵PID:780
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"51⤵PID:2528
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid52⤵PID:1804
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"51⤵PID:2940
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"52⤵PID:2220
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "53⤵
- Loads dropped DLL
PID:2436 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"54⤵PID:2844
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"50⤵PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"50⤵PID:2044
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"51⤵PID:1260
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "52⤵
- Loads dropped DLL
PID:3008 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"53⤵PID:1328
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"49⤵PID:568
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid50⤵PID:1672
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"49⤵PID:2932
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"50⤵PID:2032
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "51⤵
- Loads dropped DLL
PID:2092 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"52⤵PID:2724
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"48⤵PID:1444
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"48⤵PID:2564
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"49⤵PID:1664
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "50⤵
- Loads dropped DLL
PID:1580 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"51⤵PID:1620
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"47⤵PID:3068
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid48⤵PID:1364
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"47⤵PID:2780
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"48⤵PID:2520
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "49⤵
- Loads dropped DLL
PID:2812 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"50⤵PID:2948
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"46⤵PID:2432
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"46⤵PID:2176
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"47⤵PID:2756
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "48⤵
- Loads dropped DLL
PID:2572 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"49⤵PID:1964
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"45⤵PID:2488
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid46⤵PID:468
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"45⤵PID:2084
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"46⤵PID:3032
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "47⤵
- Loads dropped DLL
PID:2456 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"48⤵PID:2920
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"44⤵PID:1664
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"44⤵PID:1312
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"45⤵PID:2612
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "46⤵
- Loads dropped DLL
PID:1936 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"47⤵PID:1872
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"43⤵PID:1892
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid44⤵PID:1144
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"43⤵PID:2296
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"44⤵PID:2356
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "45⤵
- Loads dropped DLL
PID:2976 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"46⤵PID:816
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"42⤵PID:2640
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"42⤵PID:3036
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"43⤵PID:1548
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "44⤵
- Loads dropped DLL
PID:1784 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"45⤵PID:1308
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"41⤵PID:2748
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid42⤵PID:3020
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"41⤵PID:960
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"42⤵PID:1056
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "43⤵
- Loads dropped DLL
PID:1996 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"44⤵PID:1528
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"40⤵PID:1680
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"40⤵PID:2512
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"41⤵PID:2696
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "42⤵
- Loads dropped DLL
PID:1984 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"43⤵PID:1540
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"39⤵PID:1248
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid40⤵PID:2660
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"39⤵PID:1808
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"40⤵PID:1668
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "41⤵
- Loads dropped DLL
PID:2440 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"42⤵PID:2664
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"38⤵PID:312
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"38⤵PID:1716
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"39⤵PID:1500
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "40⤵
- Loads dropped DLL
PID:1728 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"41⤵PID:2308
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"37⤵PID:2016
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid38⤵PID:1740
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"37⤵PID:1628
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"38⤵PID:2840
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "39⤵
- Loads dropped DLL
PID:448 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"40⤵PID:1976
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"36⤵PID:1624
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"36⤵PID:2660
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"37⤵PID:2932
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "38⤵
- Loads dropped DLL
PID:1872 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"39⤵PID:1952
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"35⤵PID:304
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid36⤵PID:2312
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"35⤵PID:1748
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"36⤵PID:1284
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "37⤵
- Loads dropped DLL
PID:2716 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"38⤵PID:2436
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"34⤵PID:2188
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"34⤵PID:1660
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"35⤵PID:1796
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "36⤵
- Loads dropped DLL
PID:2268 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"37⤵PID:3012
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"33⤵PID:912
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid34⤵PID:1440
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"33⤵PID:2716
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"34⤵PID:2612
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "35⤵
- Loads dropped DLL
PID:1212 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"36⤵PID:2924
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"32⤵PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"32⤵PID:1712
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"33⤵PID:2680
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "34⤵
- Loads dropped DLL
PID:2588 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"35⤵PID:1344
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"31⤵PID:2184
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid32⤵PID:1228
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"31⤵PID:1284
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"32⤵PID:1208
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "33⤵
- Loads dropped DLL
PID:3064 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"34⤵PID:2340
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"30⤵PID:2992
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"30⤵PID:1564
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"31⤵PID:840
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "32⤵
- Loads dropped DLL
PID:772 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"33⤵PID:1804
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"29⤵PID:2880
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid30⤵PID:1896
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"29⤵PID:1664
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"30⤵PID:2212
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "31⤵
- Loads dropped DLL
PID:2532 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"32⤵PID:2428
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"28⤵PID:1624
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"28⤵PID:2932
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"29⤵PID:2348
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "30⤵
- Loads dropped DLL
PID:2000 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"31⤵PID:1556
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"27⤵PID:808
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid28⤵PID:1548
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"27⤵PID:768
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"28⤵PID:2424
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "29⤵
- Loads dropped DLL
PID:2068 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"30⤵PID:668
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"26⤵PID:1668
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"26⤵PID:2500
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"27⤵PID:2988
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "28⤵
- Loads dropped DLL
PID:3032 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"29⤵PID:2604
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"25⤵PID:1020
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid26⤵PID:2704
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"25⤵PID:2484
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"26⤵PID:2576
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "27⤵
- Loads dropped DLL
PID:2024 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"28⤵PID:2720
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"24⤵PID:1692
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"24⤵PID:1212
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"25⤵PID:2544
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "26⤵
- Loads dropped DLL
PID:1952 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"27⤵PID:2860
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"23⤵PID:1920
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid24⤵PID:2912
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"23⤵PID:2028
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"24⤵PID:2208
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "25⤵
- Loads dropped DLL
PID:2792 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"26⤵PID:2868
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"22⤵PID:276
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"22⤵PID:2988
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"23⤵PID:2852
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "24⤵
- Loads dropped DLL
PID:1228 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"25⤵PID:2596
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"21⤵PID:2796
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid22⤵PID:2760
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"21⤵PID:2576
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"22⤵PID:1644
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "23⤵
- Loads dropped DLL
PID:1436 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"24⤵PID:2724
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"20⤵PID:1664
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"20⤵PID:2220
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"21⤵PID:1600
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "22⤵
- Loads dropped DLL
PID:320 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"23⤵PID:2444
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"19⤵PID:1636
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid20⤵PID:2676
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"19⤵PID:2872
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"20⤵PID:880
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "21⤵
- Loads dropped DLL
PID:1100 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"22⤵PID:2388
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"18⤵
- Executes dropped EXE
PID:2200
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"18⤵PID:2852
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"19⤵PID:2020
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "20⤵
- Loads dropped DLL
PID:1860 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"21⤵PID:1300
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"17⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid18⤵PID:1880
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"17⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"18⤵PID:328
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "19⤵
- Loads dropped DLL
PID:1356 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"20⤵PID:2100
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"16⤵
- Executes dropped EXE
PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"16⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"17⤵PID:768
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "18⤵
- Loads dropped DLL
PID:1616 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"19⤵PID:2704
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"15⤵
- Executes dropped EXE
PID:304 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid16⤵PID:1812
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"15⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"16⤵PID:1776
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "17⤵
- Loads dropped DLL
PID:816 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"18⤵
- Executes dropped EXE
PID:2792
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"14⤵
- Executes dropped EXE
PID:2856
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"14⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"15⤵PID:2348
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "16⤵
- Loads dropped DLL
PID:2652 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"17⤵
- Executes dropped EXE
PID:2912
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"13⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid14⤵PID:2328
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"13⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"14⤵PID:2236
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "15⤵
- Loads dropped DLL
PID:2548 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"16⤵
- Executes dropped EXE
PID:2532
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"12⤵
- Executes dropped EXE
PID:768
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"12⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"13⤵PID:896
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "14⤵
- Loads dropped DLL
PID:2760 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"15⤵
- Executes dropped EXE
PID:2748
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"11⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid12⤵PID:2912
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"11⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"12⤵PID:1392
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "13⤵
- Loads dropped DLL
PID:2552 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"14⤵
- Executes dropped EXE
PID:1480
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"10⤵
- Executes dropped EXE
PID:2580
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"10⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"11⤵PID:680
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "12⤵
- Loads dropped DLL
PID:3040 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"13⤵
- Executes dropped EXE
PID:2224
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"9⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid10⤵PID:1028
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"9⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"10⤵PID:2756
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "11⤵
- Loads dropped DLL
PID:2840 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"12⤵
- Executes dropped EXE
PID:2080
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"8⤵
- Executes dropped EXE
PID:1608
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"8⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"9⤵PID:2416
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "10⤵
- Loads dropped DLL
PID:1912 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"11⤵
- Executes dropped EXE
PID:1864
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"7⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid8⤵PID:2972
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"7⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"8⤵PID:2720
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "9⤵
- Loads dropped DLL
PID:1116 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"10⤵
- Executes dropped EXE
PID:2436
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"6⤵
- Executes dropped EXE
PID:1668
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"6⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"7⤵PID:816
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "8⤵
- Loads dropped DLL
PID:2928 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"9⤵
- Executes dropped EXE
PID:2400
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2744 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid6⤵
- Suspicious use of AdjustPrivilegeToken
PID:284
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"6⤵PID:2024
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "7⤵
- Loads dropped DLL
PID:2560 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"8⤵
- Executes dropped EXE
PID:2696
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"4⤵
- Executes dropped EXE
PID:2904
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"5⤵PID:1300
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "6⤵
- Loads dropped DLL
PID:1616 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"7⤵
- Executes dropped EXE
PID:1940
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"3⤵
- Executes dropped EXE
PID:1520
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"4⤵PID:2580
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "5⤵
- Loads dropped DLL
PID:3028 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\WinRAR\UnZiper.exe"C:\WinRAR\UnZiper.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD597bec430634bb8e59d4273c9a395a702
SHA1a8a04f26cec00ef32501ebe35252d08aaa7e3634
SHA25657a2fe6374ced2c9c7e2be59d3eca0815188778308e59295d6a868d3e5c4237e
SHA5128563d6608337071a89f7b0b7739001a456be19c51dea0f715317c6dbfce9986c59527f39ec7cdcc71007abdd8955996d26835105712e80cd700e086b8d1165a9
-
Filesize
1.7MB
MD5084ab0f114778618e30666e451581845
SHA10013eacb10d1f89dff71296defa5db17704d3347
SHA2568cf0041d9b5a8ab1fa037c475de20ba1389711d9d4e80fb9638138840f28c649
SHA5120c20196d8810e5c05c1b0b284804c7aa5f05a41bdcf19eb3c983702f8b176fb6e4000e3b3b2ec1da9f8973c9bc0feca9e4446817731104d174c0ba1fdd85cd06
-
Filesize
231KB
MD5c05f91c69a98089ded3951424da86771
SHA10c4c6437efad5f0e1e3e290fb0a9c069cd4a86ed
SHA25694c820d3a1216c2ea30f7960f60d8324399a522d3e090711aafc6f5d0b860ac5
SHA5123ba5631dcc8b839ec1d75a408b10047c3a6713791caa5b7d0fa4df69fcd264df50424404d410727c532de77fc95c082faad3cebae1637c87a146c9bf5979fcc7
-
Filesize
23B
MD5cbad1e030a37190ced948f45d7582691
SHA1b1590dc4a67cd1b56b6b0ff42d48325de7bb8ea5
SHA2568d910a7da0bc8d3baf495648cc0fef5391e8d7486cfc027827d3828a488f7571
SHA512ce98091245080506c15afd1eba8847e410b43c689ef38b4c971881a0888588cbac39234d73f783ad4f4f113c7fe07d066d4f5e1a2181854b70a032f4308fca92
-
Filesize
201B
MD5fb6995d84ff8765f8985b39021495a02
SHA1da911e465774c0769bc5b6fb10801c08e769b607
SHA256048d54b81f8126090f61d30d736d677fe62a4eb683b5a7618c91020e7fc10ff5
SHA512ea763e3864f726cd58979dee75100cce8692e81ca67fbbcf863f5244c7a127580b71588a2675bc108599109e8e77af7351f85900d0afb65acb98eeb4100632db
-
Filesize
1.8MB
MD5c06bb1f0ea507c8d8767f269725df3c0
SHA19555e62e99b3bd5af80e7870ab15c38dc97c1757
SHA25643d0e85345ce2caf4c9b2805c7e5da6a6f7c523f256a46cfeebea9a0eb4f5dce
SHA5120a14e81ab09263b75f4be83f11cfcd1e9bc903d22aeeae0bf797a97bb261e5700a55bcc3e65ff48a41c01170686e42a756bfabb1769d0efd2b58e62d83bb6197