Analysis
-
max time kernel
68s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 16:15
Static task
static1
Behavioral task
behavioral1
Sample
Solara_Updater.exe
Resource
win7-20240215-en
General
-
Target
Solara_Updater.exe
-
Size
1.9MB
-
MD5
f4cffd7e6cca2b88bba1f19120e9255f
-
SHA1
28df62794d325206d1f61a400b5c5c682632e371
-
SHA256
4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf
-
SHA512
cb71ef2db087c012744fcac05033cab80947131029ae9bf59b57f85dd2f819e859f105919978a2af4334ac4b8f5b060f5f757b6898cb8fddd720a114b652bfe8
-
SSDEEP
49152:mH4Y2d/Pz0dB5h1qeU2V0ZBsvH1jBOtGQt/3c5DGqHQX+icSr:mH/QPz0d/pV0AvHLDh5HH4+i
Malware Config
Extracted
xworm
answer-riverside.gl.at.ply.gg:45691
-
Install_directory
%AppData%
-
install_file
svhost.exe
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023261-55.dat family_umbral behavioral2/memory/2380-62-0x0000024F3D9B0000-0x0000024F3D9F0000-memory.dmp family_umbral -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023260-43.dat family_xworm behavioral2/memory/3844-53-0x0000000000EE0000-0x0000000000EF6000-memory.dmp family_xworm -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5520 1688 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5524 1688 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5856 1688 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 1688 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3668 1688 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 1688 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4740 1688 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4592 1688 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2536 1688 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4220 1688 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6044 1688 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6056 1688 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 1688 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3656 1688 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3896 1688 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 1688 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 1688 schtasks.exe 95 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1780 1688 schtasks.exe 95 -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3984 powershell.exe 3828 powershell.exe 1104 powershell.exe 4388 powershell.exe -
Checks computer location settings 2 TTPs 57 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation sol.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation sol.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation XClient.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation sol.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation sol.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation sol.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation sol.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation sol.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation sol.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation sol.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation sol.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation sol.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation sol.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation sol.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation sol.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation sol.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation sol.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation sol.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation sol.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation sol.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation sol.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Solara_Updater.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk XClient.exe -
Executes dropped EXE 62 IoCs
pid Process 4236 Loader.exe 3996 sol.exe 4900 Loader.exe 1112 sol.exe 4104 Loader.exe 5048 sol.exe 4316 Loader.exe 4608 sol.exe 3224 Loader.exe 976 sol.exe 3844 XClient.exe 2380 RustCheat.exe 3096 Loader.exe 4716 sol.exe 1432 Loader.exe 2236 sol.exe 2680 XClient.exe 2644 RustCheat.exe 924 Loader.exe 1892 sol.exe 3780 XClient.exe 1836 RustCheat.exe 4208 Loader.exe 1420 sol.exe 4360 Loader.exe 2292 sol.exe 2236 Loader.exe 3212 sol.exe 2836 Loader.exe 2604 sol.exe 1556 Loader.exe 4220 sol.exe 684 Loader.exe 1120 sol.exe 4352 svhost.exe 4688 Loader.exe 3772 sol.exe 2340 Loader.exe 3224 sol.exe 1964 XClient.exe 4332 RustCheat.exe 4844 Loader.exe 4336 sol.exe 1008 Loader.exe 4148 sol.exe 1252 Loader.exe 1416 sol.exe 5572 bridgeblockportComBroker.exe 5564 bridgeblockportComBroker.exe 5612 bridgeblockportComBroker.exe 5652 Loader.exe 5676 sol.exe 5724 bridgeblockportComBroker.exe 5732 bridgeblockportComBroker.exe 5756 bridgeblockportComBroker.exe 5804 bridgeblockportComBroker.exe 5796 bridgeblockportComBroker.exe 5896 bridgeblockportComBroker.exe 6012 bridgeblockportComBroker.exe 6084 Loader.exe 6108 sol.exe 712 bridgeblockportComBroker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" XClient.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com 67 ipinfo.io 68 ipinfo.io 69 ip-api.com 98 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 19 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5856 schtasks.exe 4220 schtasks.exe 6044 schtasks.exe 3656 schtasks.exe 3896 schtasks.exe 5520 schtasks.exe 3668 schtasks.exe 4604 schtasks.exe 4592 schtasks.exe 6056 schtasks.exe 2548 schtasks.exe 3176 schtasks.exe 1780 schtasks.exe 2536 schtasks.exe 2732 schtasks.exe 5524 schtasks.exe 4740 schtasks.exe 1816 schtasks.exe 1780 schtasks.exe -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings sol.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings sol.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings sol.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings sol.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings sol.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings sol.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings sol.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings sol.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings sol.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings sol.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings sol.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings sol.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings sol.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings sol.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings sol.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings sol.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings sol.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings sol.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings sol.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings sol.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5736 PING.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1104 powershell.exe 1104 powershell.exe 1104 powershell.exe 4388 powershell.exe 4388 powershell.exe 4388 powershell.exe 3984 powershell.exe 3984 powershell.exe 3984 powershell.exe 3828 powershell.exe 3828 powershell.exe 3828 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4236 Loader.exe Token: SeDebugPrivilege 3844 XClient.exe Token: SeDebugPrivilege 3096 Loader.exe Token: SeDebugPrivilege 2680 XClient.exe Token: SeDebugPrivilege 2380 RustCheat.exe Token: SeIncreaseQuotaPrivilege 5044 wmic.exe Token: SeSecurityPrivilege 5044 wmic.exe Token: SeTakeOwnershipPrivilege 5044 wmic.exe Token: SeLoadDriverPrivilege 5044 wmic.exe Token: SeSystemProfilePrivilege 5044 wmic.exe Token: SeSystemtimePrivilege 5044 wmic.exe Token: SeProfSingleProcessPrivilege 5044 wmic.exe Token: SeIncBasePriorityPrivilege 5044 wmic.exe Token: SeCreatePagefilePrivilege 5044 wmic.exe Token: SeBackupPrivilege 5044 wmic.exe Token: SeRestorePrivilege 5044 wmic.exe Token: SeShutdownPrivilege 5044 wmic.exe Token: SeDebugPrivilege 5044 wmic.exe Token: SeSystemEnvironmentPrivilege 5044 wmic.exe Token: SeRemoteShutdownPrivilege 5044 wmic.exe Token: SeUndockPrivilege 5044 wmic.exe Token: SeManageVolumePrivilege 5044 wmic.exe Token: 33 5044 wmic.exe Token: 34 5044 wmic.exe Token: 35 5044 wmic.exe Token: 36 5044 wmic.exe Token: SeDebugPrivilege 1432 Loader.exe Token: SeIncreaseQuotaPrivilege 5044 wmic.exe Token: SeSecurityPrivilege 5044 wmic.exe Token: SeTakeOwnershipPrivilege 5044 wmic.exe Token: SeLoadDriverPrivilege 5044 wmic.exe Token: SeSystemProfilePrivilege 5044 wmic.exe Token: SeSystemtimePrivilege 5044 wmic.exe Token: SeProfSingleProcessPrivilege 5044 wmic.exe Token: SeIncBasePriorityPrivilege 5044 wmic.exe Token: SeCreatePagefilePrivilege 5044 wmic.exe Token: SeBackupPrivilege 5044 wmic.exe Token: SeRestorePrivilege 5044 wmic.exe Token: SeShutdownPrivilege 5044 wmic.exe Token: SeDebugPrivilege 5044 wmic.exe Token: SeSystemEnvironmentPrivilege 5044 wmic.exe Token: SeRemoteShutdownPrivilege 5044 wmic.exe Token: SeUndockPrivilege 5044 wmic.exe Token: SeManageVolumePrivilege 5044 wmic.exe Token: 33 5044 wmic.exe Token: 34 5044 wmic.exe Token: 35 5044 wmic.exe Token: 36 5044 wmic.exe Token: SeDebugPrivilege 3780 XClient.exe Token: SeDebugPrivilege 1104 powershell.exe Token: SeDebugPrivilege 924 Loader.exe Token: SeDebugPrivilege 4388 powershell.exe Token: SeDebugPrivilege 3984 powershell.exe Token: SeDebugPrivilege 3828 powershell.exe Token: SeDebugPrivilege 3844 XClient.exe Token: SeDebugPrivilege 4352 svhost.exe Token: SeDebugPrivilege 1964 XClient.exe Token: SeDebugPrivilege 4332 RustCheat.exe Token: SeIncreaseQuotaPrivilege 3600 wmic.exe Token: SeSecurityPrivilege 3600 wmic.exe Token: SeTakeOwnershipPrivilege 3600 wmic.exe Token: SeLoadDriverPrivilege 3600 wmic.exe Token: SeSystemProfilePrivilege 3600 wmic.exe Token: SeSystemtimePrivilege 3600 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2428 wrote to memory of 4236 2428 Solara_Updater.exe 92 PID 2428 wrote to memory of 4236 2428 Solara_Updater.exe 92 PID 2428 wrote to memory of 3996 2428 Solara_Updater.exe 93 PID 2428 wrote to memory of 3996 2428 Solara_Updater.exe 93 PID 2428 wrote to memory of 3996 2428 Solara_Updater.exe 93 PID 2428 wrote to memory of 2376 2428 Solara_Updater.exe 94 PID 2428 wrote to memory of 2376 2428 Solara_Updater.exe 94 PID 2376 wrote to memory of 4900 2376 Solara_Updater.exe 96 PID 2376 wrote to memory of 4900 2376 Solara_Updater.exe 96 PID 2376 wrote to memory of 1112 2376 Solara_Updater.exe 97 PID 2376 wrote to memory of 1112 2376 Solara_Updater.exe 97 PID 2376 wrote to memory of 1112 2376 Solara_Updater.exe 97 PID 2376 wrote to memory of 1992 2376 Solara_Updater.exe 98 PID 2376 wrote to memory of 1992 2376 Solara_Updater.exe 98 PID 1992 wrote to memory of 4104 1992 Solara_Updater.exe 99 PID 1992 wrote to memory of 4104 1992 Solara_Updater.exe 99 PID 1992 wrote to memory of 5048 1992 Solara_Updater.exe 100 PID 1992 wrote to memory of 5048 1992 Solara_Updater.exe 100 PID 1992 wrote to memory of 5048 1992 Solara_Updater.exe 100 PID 1992 wrote to memory of 788 1992 Solara_Updater.exe 101 PID 1992 wrote to memory of 788 1992 Solara_Updater.exe 101 PID 788 wrote to memory of 4316 788 Solara_Updater.exe 102 PID 788 wrote to memory of 4316 788 Solara_Updater.exe 102 PID 788 wrote to memory of 4608 788 Solara_Updater.exe 103 PID 788 wrote to memory of 4608 788 Solara_Updater.exe 103 PID 788 wrote to memory of 4608 788 Solara_Updater.exe 103 PID 788 wrote to memory of 3368 788 Solara_Updater.exe 104 PID 788 wrote to memory of 3368 788 Solara_Updater.exe 104 PID 3368 wrote to memory of 3224 3368 Solara_Updater.exe 105 PID 3368 wrote to memory of 3224 3368 Solara_Updater.exe 105 PID 3368 wrote to memory of 976 3368 Solara_Updater.exe 106 PID 3368 wrote to memory of 976 3368 Solara_Updater.exe 106 PID 3368 wrote to memory of 976 3368 Solara_Updater.exe 106 PID 3368 wrote to memory of 5080 3368 Solara_Updater.exe 107 PID 3368 wrote to memory of 5080 3368 Solara_Updater.exe 107 PID 4236 wrote to memory of 3844 4236 Loader.exe 108 PID 4236 wrote to memory of 3844 4236 Loader.exe 108 PID 4236 wrote to memory of 2380 4236 Loader.exe 109 PID 4236 wrote to memory of 2380 4236 Loader.exe 109 PID 5080 wrote to memory of 3096 5080 Solara_Updater.exe 110 PID 5080 wrote to memory of 3096 5080 Solara_Updater.exe 110 PID 5080 wrote to memory of 4716 5080 Solara_Updater.exe 111 PID 5080 wrote to memory of 4716 5080 Solara_Updater.exe 111 PID 5080 wrote to memory of 4716 5080 Solara_Updater.exe 111 PID 5080 wrote to memory of 4148 5080 Solara_Updater.exe 112 PID 5080 wrote to memory of 4148 5080 Solara_Updater.exe 112 PID 4148 wrote to memory of 1432 4148 Solara_Updater.exe 113 PID 4148 wrote to memory of 1432 4148 Solara_Updater.exe 113 PID 4148 wrote to memory of 2236 4148 Solara_Updater.exe 149 PID 4148 wrote to memory of 2236 4148 Solara_Updater.exe 149 PID 4148 wrote to memory of 2236 4148 Solara_Updater.exe 149 PID 4148 wrote to memory of 1868 4148 Solara_Updater.exe 115 PID 4148 wrote to memory of 1868 4148 Solara_Updater.exe 115 PID 3096 wrote to memory of 2680 3096 Loader.exe 116 PID 3096 wrote to memory of 2680 3096 Loader.exe 116 PID 3096 wrote to memory of 2644 3096 Loader.exe 117 PID 3096 wrote to memory of 2644 3096 Loader.exe 117 PID 2380 wrote to memory of 5044 2380 RustCheat.exe 118 PID 2380 wrote to memory of 5044 2380 RustCheat.exe 118 PID 1868 wrote to memory of 924 1868 Solara_Updater.exe 120 PID 1868 wrote to memory of 924 1868 Solara_Updater.exe 120 PID 3844 wrote to memory of 1104 3844 XClient.exe 121 PID 3844 wrote to memory of 1104 3844 XClient.exe 121 PID 1868 wrote to memory of 1892 1868 Solara_Updater.exe 122 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3828
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"4⤵
- Creates scheduled task(s)
PID:3176
-
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3996 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"3⤵
- Checks computer location settings
PID:640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "4⤵PID:1416
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"5⤵
- Executes dropped EXE
PID:5732
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"3⤵
- Executes dropped EXE
PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"4⤵
- Checks computer location settings
PID:2840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "5⤵PID:5132
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"6⤵
- Executes dropped EXE
PID:5756
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"4⤵
- Executes dropped EXE
PID:4104
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5048 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"5⤵
- Checks computer location settings
PID:876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "6⤵PID:5124
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"7⤵
- Executes dropped EXE
PID:5612
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"5⤵
- Executes dropped EXE
PID:4316
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4608 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"6⤵
- Checks computer location settings
PID:1816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "7⤵PID:5156
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"8⤵
- Executes dropped EXE
PID:5564
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"6⤵
- Executes dropped EXE
PID:3224
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"6⤵
- Executes dropped EXE
PID:976
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"8⤵
- Executes dropped EXE
PID:2644
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4716 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"8⤵
- Checks computer location settings
PID:2336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "9⤵PID:3176
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"10⤵
- Executes dropped EXE
PID:5804
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"7⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3780
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"9⤵
- Executes dropped EXE
PID:1836
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"9⤵
- Checks computer location settings
PID:4112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "10⤵PID:5140
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"11⤵
- Executes dropped EXE
PID:5724 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oiosxfja\oiosxfja.cmdline"12⤵PID:5916
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE9F.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1C6F892BA6F049C0BB1C42B55371E24.TMP"13⤵PID:3712
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xcbzmeex\xcbzmeex.cmdline"12⤵PID:6072
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DB.tmp" "c:\Users\Admin\AppData\Roaming\CSC2DF3E632D8534E5A84A309B7CDD374.TMP"13⤵PID:2384
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\trvbkygg\trvbkygg.cmdline"12⤵PID:5112
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES371.tmp" "c:\Windows\System32\CSCA9863F3A1604EA78B4591A2E1E2988D.TMP"13⤵PID:3504
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H8S9Oa3LSw.bat"12⤵PID:5592
-
C:\Windows\system32\chcp.comchcp 6500113⤵PID:2284
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- Runs ping.exe
PID:5736
-
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet\bridgeblockportComBroker.exe"13⤵PID:3232
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"8⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:924 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid11⤵
- Suspicious use of AdjustPrivilegeToken
PID:3600 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵PID:684
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"10⤵
- Checks computer location settings
PID:5032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "11⤵PID:5148
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"12⤵
- Executes dropped EXE
PID:5572
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"9⤵
- Checks computer location settings
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"10⤵
- Executes dropped EXE
PID:4208
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"11⤵
- Checks computer location settings
PID:4568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "12⤵PID:5164
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"13⤵
- Executes dropped EXE
PID:5796
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"10⤵
- Checks computer location settings
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"11⤵
- Executes dropped EXE
PID:4360
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"12⤵
- Checks computer location settings
PID:3220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "13⤵PID:5448
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"14⤵
- Executes dropped EXE
PID:5896
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"11⤵
- Checks computer location settings
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"12⤵
- Executes dropped EXE
PID:2236
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3212 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"13⤵
- Checks computer location settings
PID:4156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "14⤵PID:5948
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"15⤵
- Executes dropped EXE
PID:6012
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"12⤵
- Checks computer location settings
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"13⤵
- Executes dropped EXE
PID:2836
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"14⤵
- Checks computer location settings
PID:4492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "15⤵PID:4100
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"16⤵
- Executes dropped EXE
PID:712
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"13⤵
- Checks computer location settings
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"14⤵
- Executes dropped EXE
PID:1556
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4220 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"15⤵PID:3656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "16⤵PID:440
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"17⤵PID:4576
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"14⤵
- Checks computer location settings
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"15⤵
- Executes dropped EXE
PID:684
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"16⤵PID:2604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "17⤵PID:5860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV118⤵PID:5676
-
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"18⤵PID:5944
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"15⤵
- Checks computer location settings
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"16⤵
- Executes dropped EXE
PID:4688
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3772 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"17⤵PID:3968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "18⤵PID:1856
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"19⤵PID:4688
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"16⤵
- Checks computer location settings
PID:4372 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"17⤵
- Executes dropped EXE
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"18⤵PID:6060
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"18⤵PID:6036
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid19⤵PID:5720
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3224 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"18⤵PID:4652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "19⤵PID:4492
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"20⤵PID:5472
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"17⤵
- Checks computer location settings
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"18⤵
- Executes dropped EXE
PID:4844
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"19⤵PID:3628
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "20⤵PID:1564
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"21⤵PID:4636
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"18⤵
- Checks computer location settings
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"19⤵
- Executes dropped EXE
PID:1008
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4148 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"20⤵PID:3084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "21⤵PID:5332
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"22⤵PID:5456
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"19⤵
- Checks computer location settings
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"20⤵
- Executes dropped EXE
PID:1252
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"21⤵PID:1216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "22⤵PID:5208
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"23⤵PID:5304
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"20⤵
- Checks computer location settings
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"21⤵
- Executes dropped EXE
PID:5652
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5676 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"22⤵PID:5868
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "23⤵PID:5656
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"24⤵PID:4092
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"21⤵
- Checks computer location settings
PID:5688 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"22⤵
- Executes dropped EXE
PID:6084
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:6108 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"23⤵PID:1868
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "24⤵PID:5912
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"25⤵PID:5124
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"22⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"23⤵PID:4592
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"23⤵PID:1120
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"24⤵PID:5176
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "25⤵PID:5180
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"26⤵PID:2340
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"23⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"24⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"25⤵PID:5548
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"25⤵PID:5940
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid26⤵PID:2336
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"24⤵PID:2296
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"25⤵PID:5812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "26⤵PID:4020
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV127⤵PID:1008
-
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"27⤵PID:5184
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"24⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"25⤵PID:5716
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"25⤵PID:4516
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"26⤵PID:2880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "27⤵PID:5788
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"28⤵PID:5724
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"25⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"26⤵PID:876
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"26⤵PID:4844
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"27⤵PID:3668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "28⤵PID:5156
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV129⤵PID:1416
-
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"29⤵PID:5144
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"26⤵PID:5708
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"27⤵PID:5316
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"27⤵PID:4108
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"28⤵PID:5588
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "29⤵PID:5472
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"30⤵PID:6032
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"27⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"28⤵PID:3212
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"28⤵PID:5164
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"29⤵PID:5252
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "30⤵PID:5656
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"31⤵PID:1564
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"28⤵PID:5344
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"29⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"30⤵PID:5260
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"30⤵PID:1980
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid31⤵PID:4108
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"29⤵PID:4736
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"30⤵PID:3980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "31⤵PID:2072
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"32⤵PID:4220
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"29⤵PID:4404
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"30⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"31⤵PID:6120
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"31⤵PID:5564
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid32⤵PID:2644
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"30⤵PID:3604
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"31⤵PID:500
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "32⤵PID:4332
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"33⤵PID:5224
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"30⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"31⤵PID:6068
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"31⤵PID:5816
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"32⤵PID:4508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "33⤵PID:1744
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"34⤵PID:3368
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"31⤵PID:5848
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"32⤵PID:1888
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"32⤵PID:4212
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"33⤵PID:5448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "34⤵PID:5824
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"35⤵PID:1700
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"32⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"33⤵PID:4844
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"33⤵PID:6140
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"34⤵PID:1132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "35⤵PID:2856
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"36⤵PID:2312
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"33⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"34⤵PID:4204
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"34⤵PID:5704
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"35⤵PID:3968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "36⤵PID:4760
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"37⤵PID:1156
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"34⤵PID:5684
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"35⤵PID:3996
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"35⤵PID:1996
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"36⤵PID:3520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "37⤵PID:5976
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"38⤵PID:5304
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"35⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"36⤵PID:4336
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"36⤵PID:2848
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"37⤵PID:5464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "38⤵PID:1780
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"39⤵PID:4780
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"36⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"37⤵PID:5648
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"37⤵PID:2380
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"38⤵PID:4568
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "39⤵PID:5200
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"40⤵PID:5900
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"37⤵PID:5856
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"38⤵PID:2840
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"39⤵PID:6004
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"39⤵PID:1252
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid40⤵PID:2844
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"38⤵PID:3200
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"39⤵PID:5548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "40⤵PID:5248
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"41⤵PID:5628
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"38⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"39⤵PID:5260
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"39⤵PID:2376
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"40⤵PID:436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "41⤵PID:4736
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"42⤵PID:5672
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"39⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"40⤵PID:4212
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"40⤵PID:816
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"41⤵PID:3788
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "42⤵PID:3588
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"43⤵PID:5680
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"40⤵PID:4336
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"41⤵PID:5504
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"41⤵PID:4092
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"42⤵PID:4348
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "43⤵PID:4772
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"44⤵PID:5932
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"41⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"42⤵PID:5704
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"42⤵PID:5592
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"43⤵PID:5820
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "44⤵PID:4204
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"45⤵PID:5212
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"42⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"43⤵PID:2100
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"43⤵PID:3208
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"44⤵PID:5516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "45⤵PID:5080
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"46⤵PID:5708
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"43⤵PID:6008
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"44⤵PID:5456
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"44⤵PID:4736
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"45⤵PID:1660
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "46⤵PID:3732
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"44⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"45⤵PID:6140
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"45⤵PID:2336
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"46⤵PID:3220
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"45⤵PID:5540
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"46⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"47⤵PID:5284
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"47⤵PID:4848
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid48⤵PID:5632
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"46⤵PID:528
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"47⤵PID:3792
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"46⤵PID:4336
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"47⤵PID:3288
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"47⤵PID:5044
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"48⤵PID:5612
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"47⤵PID:5188
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"48⤵PID:732
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"48⤵PID:5864
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"49⤵PID:3440
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"48⤵PID:5492
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"49⤵PID:1744
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"49⤵PID:5264
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"50⤵PID:3520
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"49⤵PID:5636
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"50⤵PID:4884
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"50⤵PID:5692
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"51⤵PID:1972
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"50⤵PID:6140
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"51⤵PID:5652
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"52⤵PID:5988
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"52⤵PID:5564
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid53⤵PID:5976
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"51⤵PID:5616
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"52⤵PID:5448
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"51⤵PID:3176
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"52⤵PID:3128
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"52⤵PID:3360
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"53⤵PID:2344
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"52⤵PID:2100
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"53⤵PID:2732
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"53⤵PID:4356
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"54⤵PID:2284
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"53⤵PID:6060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4208
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:4608
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3948 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\MoSetup\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Logs\MoSetup\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\MoSetup\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\hostNet\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\hostNet\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\hostNet\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\hostNet\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\hostNet\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\hostNet\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 5 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 10 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵PID:5636
-
C:\Users\Admin\AppData\Roaming\svhost.exe.exe"C:\Users\Admin\AppData\Roaming\svhost.exe.exe"2⤵PID:6128
-
-
C:\Recovery\WindowsRE\cmd.exe"C:\Recovery\WindowsRE\cmd.exe"2⤵PID:6004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54c8fa14eeeeda6fe76a08d14e08bf756
SHA130003b6798090ec74eb477bbed88e086f8552976
SHA2567ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5
SHA512116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
944B
MD550d3033f2bc3a3774c469d03e71a79a9
SHA122027b1d52085de99b3bffa276530fea5d961471
SHA2562987e99ec7fa17bd4ab7de3cb4dc62645e1052012a5a357904d6fc6db9054147
SHA512ecf7ab1a9e4192454a3e24c60453fd702a8c648e00078fc933b9182f4a3d3c10c6f5da622a5729b35727e6ddc8837029caddcaf76f56e805b9744253b56da5d8
-
Filesize
944B
MD52d6baabb78161c2401e97f08de1b3b4e
SHA17bd22cebd5f310d8ac2ef8027caf6a0ec3bf709e
SHA2561cea816e9897ec6852edb3671e5a93b05ea817bc969c4d47ee70f5573f95df42
SHA5129f35b70cdb0159002143296f11dd22bec6e28836d36bb2ec0527692935cfc3f43df54871a9397bbdf2aaf6912943968310320433ca51a39e360d7227262c754c
-
Filesize
139KB
MD58f77f8b13b914f358059e3f7b9ddab70
SHA1d406a28486b4dd881c454e526e149b98c0ec8462
SHA256c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6
SHA512b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad
-
Filesize
231KB
MD5ff8f5c2670894f74456e534b34d6a8fe
SHA1e0b35ae06f68adf07e4616da8e91bb1f935e492a
SHA256d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37
SHA512a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff
-
Filesize
60KB
MD528ff989c1d462f567aabb9c5ba76456b
SHA124be926b14f64f6a9f5b8248d1618bae9a7fc0b2
SHA256a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d
SHA5122e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.1MB
MD525daefc71be60b76cb49fc81424d768d
SHA148be475dd36b433d62d4f7fed9b4d81a90122dee
SHA2561b27df9e577ab790cafdae0b1ef25ccecdf5f7e2a1ede0d83a3ca32e2987d80a
SHA512e343905d83bdf353fe759ba5dc4de5bc2e7b1e465066bb4d09388209151e72dfd8df7da780882c533cdc3ee24933de123a8630d6a177bba0ad4d65efc39fadfe
-
Filesize
1.8MB
MD58ccc428a5a6f6139dc191d332f3de08b
SHA1ae550a8fb67deeb1350020aa3fe8b0339db6bc71
SHA256801c5ad5a7853f375e15e1da7361e09b898d3c8770e291b8016eb207bba8c749
SHA5121479aac1b970722f47cbf77a01b213c84885af15b06e293bf9137863cbce44238832c5f4298dc56ca41847718f581d2bb434220824ffc5d54c08f1e55156e82e
-
Filesize
230B
MD592408a105526970fa12ef23225de61ae
SHA1bf70e8e671c10bf85771b2b8dd4549766cf79582
SHA256b4f3f50e48c35a2d03d9e96175722f1c4669e8529c2347f4f17377b2ad726b10
SHA51256df36df05187743357f3cda16f2b7791c4c760475b90f173ad3d0752475aee45e6549e062ee328f3b1f2ebd56aaa1bb9ceedb1f3200e2383455ac27e1cee043
-
Filesize
83B
MD502d21af8c5d6e8e0240a01325bcc4154
SHA1ce58641040b6fe35d465a8a6932c277c7ff37ee5
SHA25631498b70dce38481c709a35f22dbab0bde2be880abe88d6c90b7a96bf9f070b7
SHA512758201561db3058e8d6d18c9a838fd49aa612fe0ef544479cc5776e4618ee4e90245b41b1bdb90257298c27fb6ee2589a262f8143816fa091be88a1ca977f7e8