umbral | 4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara_Updater.exe
Size

1.9MB
MD5

f4cffd7e6cca2b88bba1f19120e9255f
SHA1

28df62794d325206d1f61a400b5c5c682632e371
SHA256

4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf
SHA512

cb71ef2db087c012744fcac05033cab80947131029ae9bf59b57f85dd2f819e859f105919978a2af4334ac4b8f5b060f5f757b6898cb8fddd720a114b652bfe8
SSDEEP

49152:mH4Y2d/Pz0dB5h1qeU2V0ZBsvH1jBOtGQt/3c5DGqHQX+icSr:mH/QPz0d/pV0AvHLDh5HH4+i

Score

10^/10

umbral xworm execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discordapp.com/api/webhooks/1239665745831530598/iJT0OELt4O4igXW_VMu-CUIfcqaawXLhyC4Bruuv1t2x0XOvC0_p9dc-G_RxJMO7fn-V

Extracted

Family

xworm

answer-riverside.gl.at.ply.gg:45691

Attributes

Install_directory
%AppData%
install_file
svhost.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000002340c-138.dat	family_umbral
behavioral2/memory/2744-141-0x0000025AF92D0000-0x0000025AF9310000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001700000002340b-122.dat	family_xworm
behavioral2/memory/4252-139-0x0000000000DB0000-0x0000000000DC6000-memory.dmp	family_xworm

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\Oracle\\sihost.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\Oracle\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\wscript.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\Oracle\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\wscript.exe\", \"C:\\hostNet\\RuntimeBroker.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\Oracle\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\wscript.exe\", \"C:\\hostNet\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Solara_Updater.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\Oracle\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\wscript.exe\", \"C:\\hostNet\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Solara_Updater.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\Oracle\\sihost.exe\", \"C:\\Recovery\\WindowsRE\\wscript.exe\", \"C:\\hostNet\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Solara_Updater.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\hostNet\\bridgeblockportComBroker.exe\""	bridgeblockportComBroker.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	32	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	32	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	32	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	32	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	32	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	32	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	32	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	32	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	32	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	32	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	32	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	32	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	32	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	32	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	32	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	32	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	32	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	32	schtasks.exe	94

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4924	powershell.exe
4564	powershell.exe
4760	powershell.exe
1212	powershell.exe
2784	powershell.exe
2772	powershell.exe
4536	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RustCheat.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RustCheat.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RustCheat.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient.exe

Executes dropped EXE 64 IoCs

pid	Process
2016	Loader.exe
2584	sol.exe
2828	Loader.exe
3948	sol.exe
4552	Loader.exe
1472	sol.exe
2420	Loader.exe
2564	sol.exe
640	Loader.exe
3780	sol.exe
1128	Loader.exe
2300	sol.exe
4088	Loader.exe
4652	sol.exe
1204	Loader.exe
5008	sol.exe
4852	Loader.exe
4692	sol.exe
2692	Loader.exe
4780	sol.exe
4252	XClient.exe
2744	RustCheat.exe
1452	Loader.exe
752	sol.exe
1204	bridgeblockportComBroker.exe
4500	Loader.exe
2796	sol.exe
1848	bridgeblockportComBroker.exe
1552	Loader.exe
1216	sol.exe
1452	bridgeblockportComBroker.exe
2912	Loader.exe
4768	sol.exe
1472	bridgeblockportComBroker.exe
4748	Loader.exe
4972	sol.exe
4016	bridgeblockportComBroker.exe
3908	Loader.exe
1404	sol.exe
1204	Solara_Updater.exe
1600	bridgeblockportComBroker.exe
2312	Loader.exe
4692	sol.exe
1180	bridgeblockportComBroker.exe
5084	Loader.exe
640	sol.exe
4852	bridgeblockportComBroker.exe
1980	Loader.exe
5016	sol.exe
1020	XClient.exe
556	RustCheat.exe
2752	Loader.exe
4088	sol.exe
4524	bridgeblockportComBroker.exe
1400	Loader.exe
3452	sol.exe
1212	bridgeblockportComBroker.exe
2944	bridgeblockportComBroker.exe
3328	Loader.exe
1612	sol.exe
4788	Loader.exe
4980	bridgeblockportComBroker.exe
2324	sol.exe
3936	Loader.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Common Files\\Oracle\\sihost.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\WindowsRE\\wscript.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\hostNet\\RuntimeBroker.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\hostNet\\RuntimeBroker.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara_Updater = "\"C:\\Recovery\\WindowsRE\\Solara_Updater.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Common Files\\Oracle\\sihost.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\WindowsRE\\wscript.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara_Updater = "\"C:\\Recovery\\WindowsRE\\Solara_Updater.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\""	bridgeblockportComBroker.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
53	ip-api.com
74	ip-api.com
103	ip-api.com
23	ip-api.com
47	ipinfo.io
48	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC9A00495312214188BF5E6B8B391044D9.TMP	csc.exe
File created	\??\c:\Windows\System32\fruvan.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Oracle\sihost.exe	bridgeblockportComBroker.exe
File created	C:\Program Files (x86)\Common Files\Oracle\66fc9ff0ee96c2	bridgeblockportComBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 19 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
680	schtasks.exe
828	schtasks.exe
4512	schtasks.exe
3852	schtasks.exe
5000	schtasks.exe
3556	schtasks.exe
5040	schtasks.exe
1844	schtasks.exe
4812	schtasks.exe
4748	schtasks.exe
1784	schtasks.exe
1260	schtasks.exe
3876	schtasks.exe
4652	schtasks.exe
2096	schtasks.exe
3532	schtasks.exe
2412	schtasks.exe
1128	schtasks.exe
2952	schtasks.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
972	wmic.exe
2364	wmic.exe
1632	wmic.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	bridgeblockportComBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	sol.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1672	PING.EXE
536	PING.EXE
4824	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe
1204	bridgeblockportComBroker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	Loader.exe
Token: SeDebugPrivilege	4252	XClient.exe
Token: SeDebugPrivilege	2744	RustCheat.exe
Token: SeDebugPrivilege	2692	Loader.exe
Token: SeIncreaseQuotaPrivilege	1428	wmic.exe
Token: SeSecurityPrivilege	1428	wmic.exe
Token: SeTakeOwnershipPrivilege	1428	wmic.exe
Token: SeLoadDriverPrivilege	1428	wmic.exe
Token: SeSystemProfilePrivilege	1428	wmic.exe
Token: SeSystemtimePrivilege	1428	wmic.exe
Token: SeProfSingleProcessPrivilege	1428	wmic.exe
Token: SeIncBasePriorityPrivilege	1428	wmic.exe
Token: SeCreatePagefilePrivilege	1428	wmic.exe
Token: SeBackupPrivilege	1428	wmic.exe
Token: SeRestorePrivilege	1428	wmic.exe
Token: SeShutdownPrivilege	1428	wmic.exe
Token: SeDebugPrivilege	1428	wmic.exe
Token: SeSystemEnvironmentPrivilege	1428	wmic.exe
Token: SeRemoteShutdownPrivilege	1428	wmic.exe
Token: SeUndockPrivilege	1428	wmic.exe
Token: SeManageVolumePrivilege	1428	wmic.exe
Token: 33	1428	wmic.exe
Token: 34	1428	wmic.exe
Token: 35	1428	wmic.exe
Token: 36	1428	wmic.exe
Token: SeIncreaseQuotaPrivilege	1428	wmic.exe
Token: SeSecurityPrivilege	1428	wmic.exe
Token: SeTakeOwnershipPrivilege	1428	wmic.exe
Token: SeLoadDriverPrivilege	1428	wmic.exe
Token: SeSystemProfilePrivilege	1428	wmic.exe
Token: SeSystemtimePrivilege	1428	wmic.exe
Token: SeProfSingleProcessPrivilege	1428	wmic.exe
Token: SeIncBasePriorityPrivilege	1428	wmic.exe
Token: SeCreatePagefilePrivilege	1428	wmic.exe
Token: SeBackupPrivilege	1428	wmic.exe
Token: SeRestorePrivilege	1428	wmic.exe
Token: SeShutdownPrivilege	1428	wmic.exe
Token: SeDebugPrivilege	1428	wmic.exe
Token: SeSystemEnvironmentPrivilege	1428	wmic.exe
Token: SeRemoteShutdownPrivilege	1428	wmic.exe
Token: SeUndockPrivilege	1428	wmic.exe
Token: SeManageVolumePrivilege	1428	wmic.exe
Token: 33	1428	wmic.exe
Token: 34	1428	wmic.exe
Token: 35	1428	wmic.exe
Token: 36	1428	wmic.exe
Token: SeDebugPrivilege	1204	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	1848	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	1452	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	1472	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	4016	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	1204	Solara_Updater.exe
Token: SeDebugPrivilege	1600	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	1180	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	4852	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	1020	XClient.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1980	Loader.exe
Token: SeDebugPrivilege	4524	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeIncreaseQuotaPrivilege	4036	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 2016	3128	Solara_Updater.exe	88
PID 3128 wrote to memory of 2016	3128	Solara_Updater.exe	88
PID 3128 wrote to memory of 2584	3128	Solara_Updater.exe	89
PID 3128 wrote to memory of 2584	3128	Solara_Updater.exe	89
PID 3128 wrote to memory of 2584	3128	Solara_Updater.exe	89
PID 3128 wrote to memory of 1844	3128	Solara_Updater.exe	90
PID 3128 wrote to memory of 1844	3128	Solara_Updater.exe	90
PID 2584 wrote to memory of 3364	2584	sol.exe	93
PID 2584 wrote to memory of 3364	2584	sol.exe	93
PID 2584 wrote to memory of 3364	2584	sol.exe	93
PID 1844 wrote to memory of 2828	1844	Solara_Updater.exe	96
PID 1844 wrote to memory of 2828	1844	Solara_Updater.exe	96
PID 1844 wrote to memory of 3948	1844	Solara_Updater.exe	97
PID 1844 wrote to memory of 3948	1844	Solara_Updater.exe	97
PID 1844 wrote to memory of 3948	1844	Solara_Updater.exe	97
PID 1844 wrote to memory of 4544	1844	Solara_Updater.exe	98
PID 1844 wrote to memory of 4544	1844	Solara_Updater.exe	98
PID 3948 wrote to memory of 448	3948	sol.exe	99
PID 3948 wrote to memory of 448	3948	sol.exe	99
PID 3948 wrote to memory of 448	3948	sol.exe	99
PID 4544 wrote to memory of 4552	4544	Solara_Updater.exe	100
PID 4544 wrote to memory of 4552	4544	Solara_Updater.exe	100
PID 4544 wrote to memory of 1472	4544	Solara_Updater.exe	101
PID 4544 wrote to memory of 1472	4544	Solara_Updater.exe	101
PID 4544 wrote to memory of 1472	4544	Solara_Updater.exe	101
PID 4544 wrote to memory of 3116	4544	Solara_Updater.exe	102
PID 4544 wrote to memory of 3116	4544	Solara_Updater.exe	102
PID 1472 wrote to memory of 2428	1472	sol.exe	104
PID 1472 wrote to memory of 2428	1472	sol.exe	104
PID 1472 wrote to memory of 2428	1472	sol.exe	104
PID 3116 wrote to memory of 2420	3116	Solara_Updater.exe	105
PID 3116 wrote to memory of 2420	3116	Solara_Updater.exe	105
PID 3116 wrote to memory of 2564	3116	Solara_Updater.exe	106
PID 3116 wrote to memory of 2564	3116	Solara_Updater.exe	106
PID 3116 wrote to memory of 2564	3116	Solara_Updater.exe	106
PID 3116 wrote to memory of 1912	3116	Solara_Updater.exe	107
PID 3116 wrote to memory of 1912	3116	Solara_Updater.exe	107
PID 2564 wrote to memory of 4668	2564	sol.exe	108
PID 2564 wrote to memory of 4668	2564	sol.exe	108
PID 2564 wrote to memory of 4668	2564	sol.exe	108
PID 1912 wrote to memory of 640	1912	Solara_Updater.exe	110
PID 1912 wrote to memory of 640	1912	Solara_Updater.exe	110
PID 1912 wrote to memory of 3780	1912	Solara_Updater.exe	111
PID 1912 wrote to memory of 3780	1912	Solara_Updater.exe	111
PID 1912 wrote to memory of 3780	1912	Solara_Updater.exe	111
PID 1912 wrote to memory of 432	1912	Solara_Updater.exe	112
PID 1912 wrote to memory of 432	1912	Solara_Updater.exe	112
PID 3780 wrote to memory of 2008	3780	sol.exe	113
PID 3780 wrote to memory of 2008	3780	sol.exe	113
PID 3780 wrote to memory of 2008	3780	sol.exe	113
PID 432 wrote to memory of 1128	432	Solara_Updater.exe	115
PID 432 wrote to memory of 1128	432	Solara_Updater.exe	115
PID 432 wrote to memory of 2300	432	Solara_Updater.exe	116
PID 432 wrote to memory of 2300	432	Solara_Updater.exe	116
PID 432 wrote to memory of 2300	432	Solara_Updater.exe	116
PID 432 wrote to memory of 5040	432	Solara_Updater.exe	117
PID 432 wrote to memory of 5040	432	Solara_Updater.exe	117
PID 2300 wrote to memory of 4724	2300	sol.exe	118
PID 2300 wrote to memory of 4724	2300	sol.exe	118
PID 2300 wrote to memory of 4724	2300	sol.exe	118
PID 5040 wrote to memory of 4088	5040	Solara_Updater.exe	119
PID 5040 wrote to memory of 4088	5040	Solara_Updater.exe	119
PID 5040 wrote to memory of 4652	5040	Solara_Updater.exe	120
PID 5040 wrote to memory of 4652	5040	Solara_Updater.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3532	attrib.exe
3672	attrib.exe
2796	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:4252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4924
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:4812
- - C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
    "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1428
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
      4⤵
      Views/modifies file attributes
      PID:3532
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1212
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:64
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1212
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4036
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:2684
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:4968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      PID:2184
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:972
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
      4⤵
      PID:2300
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:64
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        Runs ping.exe
        
        PID:4824
- C:\Users\Admin\AppData\Local\Temp\sol.exe
  "C:\Users\Admin\AppData\Local\Temp\sol.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
    3⤵
    PID:3364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
      4⤵
      PID:3656
    - - C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f3yn2udx\f3yn2udx.cmdline"
        6⤵
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCB6.tmp" "c:\Windows\System32\CSC9A00495312214188BF5E6B8B391044D9.TMP"
        7⤵
        
        PID:3936
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Y6sgJvuZe.bat"
        6⤵
        
        PID:3872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1564
        
        C:\Recovery\WindowsRE\Solara_Updater.exe
        
        "C:\Recovery\WindowsRE\Solara_Updater.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
- C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    3⤵
    - Executes dropped EXE
    PID:2828
- - C:\Users\Admin\AppData\Local\Temp\sol.exe
    "C:\Users\Admin\AppData\Local\Temp\sol.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
      4⤵
      PID:448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        5⤵
        
        PID:3520
      - C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
- - C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Users\Admin\AppData\Local\Temp\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
      4⤵
      Executes dropped EXE
      PID:4552
  - - C:\Users\Admin\AppData\Local\Temp\sol.exe
      "C:\Users\Admin\AppData\Local\Temp\sol.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        5⤵
        Checks computer location settings
        
        PID:2428
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        6⤵
        
        PID:4648
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
      "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3116
    - - C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        5⤵
        Executes dropped EXE
        
        PID:2420
    - - C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        6⤵
        Checks computer location settings
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        7⤵
        
        PID:436
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
    - - C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        6⤵
        Executes dropped EXE
        
        PID:640
      - C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        7⤵
        Checks computer location settings
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        8⤵
        
        PID:4316
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4016
      - C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        7⤵
        Executes dropped EXE
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        8⤵
        Checks computer location settings
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        9⤵
        
        PID:1604
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        8⤵
        Executes dropped EXE
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        9⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        10⤵
        
        PID:5112
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        8⤵
        Checks computer location settings
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        9⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        10⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        11⤵
        
        PID:4724
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        9⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        10⤵
        Executes dropped EXE
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        11⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        12⤵
        
        PID:2568
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        10⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        12⤵
        Executes dropped EXE
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        12⤵
        Checks computer location settings
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        13⤵
        
        PID:2800
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        14⤵
        Executes dropped EXE
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        11⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        12⤵
        Executes dropped EXE
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        13⤵
        Checks computer location settings
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        14⤵
        
        PID:4848
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        15⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        12⤵
        Checks computer location settings
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        13⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        14⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        15⤵
        
        PID:1076
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        16⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        13⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        14⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        15⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        16⤵
        
        PID:4180
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        17⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        14⤵
        Checks computer location settings
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        15⤵
        Executes dropped EXE
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        16⤵
        Checks computer location settings
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        17⤵
        
        PID:4088
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        18⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        15⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        16⤵
        Executes dropped EXE
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        17⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        18⤵
        
        PID:3844
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        19⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        16⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        17⤵
        Executes dropped EXE
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        18⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        19⤵
        
        PID:2772
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        20⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        17⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        18⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        19⤵
        Checks computer location settings
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        20⤵
        
        PID:4472
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        21⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        18⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        19⤵
        Executes dropped EXE
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        20⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        21⤵
        
        PID:2784
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        22⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        19⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        21⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        21⤵
        Drops file in Drivers directory
        
        PID:2424
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        22⤵
        
        PID:4496
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        22⤵
        Views/modifies file attributes
        
        PID:3672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        22⤵
        
        PID:1460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        22⤵
        
        PID:2232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        22⤵
        
        PID:3560
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        22⤵
        
        PID:3536
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        22⤵
        
        PID:1568
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        22⤵
        
        PID:4304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        22⤵
        
        PID:3648
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        22⤵
        Detects videocard installed
        
        PID:2364
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
        22⤵
        
        PID:1844
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        23⤵
        Runs ping.exe
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        21⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        22⤵
        
        PID:1768
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        23⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        20⤵
        Checks computer location settings
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        21⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        22⤵
        Checks computer location settings
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        23⤵
        
        PID:3224
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        24⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        21⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        22⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        23⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        24⤵
        
        PID:2680
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        25⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        22⤵
        Checks computer location settings
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        23⤵
        Executes dropped EXE
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        24⤵
        Checks computer location settings
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        25⤵
        
        PID:3420
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        26⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        23⤵
        Checks computer location settings
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        24⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        25⤵
        Checks computer location settings
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        26⤵
        
        PID:4892
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        27⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        24⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        25⤵
        Executes dropped EXE
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        25⤵
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        26⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        27⤵
        
        PID:2100
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        28⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        25⤵
        Checks computer location settings
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        26⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        27⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        27⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        26⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        27⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        28⤵
        
        PID:2008
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        29⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        26⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        27⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        27⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        28⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        29⤵
        
        PID:4396
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        30⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        27⤵
        Checks computer location settings
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        28⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        28⤵
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        29⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        30⤵
        
        PID:3056
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        31⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        28⤵
        Checks computer location settings
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        29⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        29⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        30⤵
        Checks computer location settings
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        31⤵
        
        PID:3604
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        32⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        29⤵
        Checks computer location settings
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        30⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        30⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        31⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        32⤵
        
        PID:1508
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        33⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        30⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        31⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        31⤵
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        32⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        33⤵
        
        PID:4524
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        34⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        31⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        32⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        32⤵
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        33⤵
        Checks computer location settings
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        34⤵
        
        PID:2008
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        35⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        32⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        33⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        33⤵
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        34⤵
        Checks computer location settings
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        35⤵
        
        PID:3672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:1484
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        36⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        33⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        34⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        34⤵
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        35⤵
        Checks computer location settings
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        36⤵
        
        PID:4040
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        37⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        34⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        35⤵
        Checks computer location settings
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        36⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        36⤵
        Drops file in Drivers directory
        
        PID:4972
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        37⤵
        
        PID:3960
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        37⤵
        Views/modifies file attributes
        
        PID:2796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        37⤵
        
        PID:3976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:1976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        37⤵
        
        PID:2092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        37⤵
        
        PID:3536
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        37⤵
        
        PID:4496
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        37⤵
        
        PID:1876
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        37⤵
        
        PID:908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        37⤵
        
        PID:2296
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        37⤵
        Detects videocard installed
        
        PID:1632
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
        37⤵
        
        PID:464
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        38⤵
        Runs ping.exe
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        35⤵
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        36⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        37⤵
        
        PID:1404
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        38⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        35⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        36⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        36⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        37⤵
        Checks computer location settings
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        38⤵
        
        PID:1444
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        39⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        36⤵
        Checks computer location settings
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        37⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        37⤵
        Checks computer location settings
        Modifies registry class
        
        PID:612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        38⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        39⤵
        
        PID:2796
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        40⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        37⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        38⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        38⤵
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        39⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        40⤵
        
        PID:3304
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        41⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        38⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        39⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        39⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        40⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        41⤵
        
        PID:4888
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        42⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        39⤵
        Checks computer location settings
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        40⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        40⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        41⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        42⤵
        
        PID:2324
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        43⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        40⤵
        Checks computer location settings
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        41⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        41⤵
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        42⤵
        Checks computer location settings
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        43⤵
        
        PID:4228
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        44⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        41⤵
        Checks computer location settings
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        42⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        42⤵
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        43⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        44⤵
        
        PID:4956
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        45⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        42⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        43⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        43⤵
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        44⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        45⤵
        
        PID:2444
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        46⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        43⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        44⤵
        Checks computer location settings
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        45⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        45⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        44⤵
        Checks computer location settings
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        45⤵
        Checks computer location settings
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        46⤵
        
        PID:3780
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        47⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        44⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        45⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        45⤵
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        46⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        47⤵
        
        PID:1856
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        48⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        45⤵
        Checks computer location settings
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        46⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        46⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        47⤵
        Checks computer location settings
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        48⤵
        
        PID:3108
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        49⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        46⤵
        Checks computer location settings
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        47⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        47⤵
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        48⤵
        Checks computer location settings
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        49⤵
        
        PID:2796
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        50⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        47⤵
        Checks computer location settings
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        48⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        48⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        49⤵
        Checks computer location settings
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        50⤵
        
        PID:1076
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        51⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        48⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        49⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        49⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        50⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        51⤵
        
        PID:4568
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        52⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        49⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        50⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        50⤵
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        51⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        52⤵
        
        PID:4480
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        53⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        50⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        51⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        51⤵
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        52⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        53⤵
        
        PID:4500
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        54⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        51⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        52⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        52⤵
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        53⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        54⤵
        
        PID:1276
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        55⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        52⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        53⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        54⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        54⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        53⤵
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        54⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        55⤵
        
        PID:4784
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        56⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        53⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        54⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        55⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        55⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        54⤵
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        55⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        56⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        54⤵
        Checks computer location settings
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        55⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        56⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        56⤵
        
        PID:1584
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        57⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        55⤵
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        56⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        55⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        56⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        56⤵
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        57⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        56⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        57⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        57⤵
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        58⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        57⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        58⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        58⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        59⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        58⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        59⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        59⤵
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        60⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        59⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        60⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        60⤵
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        61⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        60⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        61⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        61⤵
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        62⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        61⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        62⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        62⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        63⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        62⤵
        Checks computer location settings
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        63⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        63⤵
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        64⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        63⤵
        Checks computer location settings
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        64⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        64⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        65⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        64⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        65⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        65⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        66⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        65⤵
        
        PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Oracle\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Oracle\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\hostNet\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\hostNet\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\hostNet\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Solara_UpdaterS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Solara_Updater.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Solara_Updater" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Solara_Updater.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Solara_UpdaterS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Solara_Updater.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 5 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 14 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3556

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
1⤵
PID:3912

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
1⤵
PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Solara_Updater.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bridgeblockportComBroker.exe.log

Filesize
1KB

MD5
cb4338b342d00bfe6111ffee5cbfc2ed

SHA1
fc16673b6833ad3cb00743a32868b859e90aa536

SHA256
343ed6661687e81c9615dcaea42fb1a98b70572bb9fe07e16f020108725dbbe9

SHA512
4bcea1366b8be00d08eb15cfd78c87e1c8f3aea140a4ea30efb3c0511cd3de21b7ce8c933c7478fb06a356573ecb928e50df23d340fbd9a6e6c156a004d2a77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Y6sgJvuZe.bat

Filesize
216B

MD5
9add07571d83fdad3871c4aa1869cbfe

SHA1
4dace5840ecfa3b0cc63fdaed15f78c73ab52048

SHA256
bd388bdd2f3d55809227b7bb8a6d30591441ea52c05df0a98f238bba12276fb1

SHA512
aa93dced011c13751fa677fdb00c5b0433b0aefc6c8ec8dd576da200c1db89833a8981f2e7489ba6bb0277024b48da23d71a0b44f36949123d60927cabf64b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmE6eyGCyH8QzTn\Display\Display.png

Filesize
441KB

MD5
1e762aeea18d42c92947f393fe074dce

SHA1
cb7b162f918e93eec082f973dafa90f5e35a8086

SHA256
f74c9ce2e35c4acf95b73b5d05cdd67359e674eae0ce93f9ee8869dfb1359f1d

SHA512
cb2469f602b678fd8c2e0d7e367d77596b76754ca28cba9043b44c5d65ed712dfe51265a7ac3eaec2520bf8b087028f9d5b7c1c8267eccde06ddedaf5ea8d843

Download Submit
C:\Users\Admin\AppData\Local\Temp\KvpVkWLCinwIAzg

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
139KB

MD5
8f77f8b13b914f358059e3f7b9ddab70

SHA1
d406a28486b4dd881c454e526e149b98c0ec8462

SHA256
c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6

SHA512
b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCCB6.tmp

Filesize
1KB

MD5
689b80bb04c3dd31d35999a224d0202f

SHA1
baa2229d463f829c27b3e5fc6f312b273eca8798

SHA256
a5c2c74819ce53aea2c8daab03e838370818c167b51ce90255ad3dc77974c779

SHA512
22bc7d40b65a78d22c05241ad5769a21fa3fb23d99c861c78cc641e18f8ecf9108db9e0e159bf8b6c36db49ac59aede9264d14fcaad02f1083f2838c0eb78b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

Filesize
231KB

MD5
ff8f5c2670894f74456e534b34d6a8fe

SHA1
e0b35ae06f68adf07e4616da8e91bb1f935e492a

SHA256
d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37

SHA512
a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff

Download Submit
C:\Users\Admin\AppData\Local\Temp\W1V7kcEkYEmUT7O

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\W1V7kcEkYEmUT7O

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
60KB

MD5
28ff989c1d462f567aabb9c5ba76456b

SHA1
24be926b14f64f6a9f5b8248d1618bae9a7fc0b2

SHA256
a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d

SHA512
2e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xj1xtaxs.lxz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gc1uyVVEhhjm9Jt

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\sol.exe

Filesize
2.1MB

MD5
25daefc71be60b76cb49fc81424d768d

SHA1
48be475dd36b433d62d4f7fed9b4d81a90122dee

SHA256
1b27df9e577ab790cafdae0b1ef25ccecdf5f7e2a1ede0d83a3ca32e2987d80a

SHA512
e343905d83bdf353fe759ba5dc4de5bc2e7b1e465066bb4d09388209151e72dfd8df7da780882c533cdc3ee24933de123a8630d6a177bba0ad4d65efc39fadfe

Download Submit
C:\hostNet\bridgeblockportComBroker.exe

Filesize
1.8MB

MD5
8ccc428a5a6f6139dc191d332f3de08b

SHA1
ae550a8fb67deeb1350020aa3fe8b0339db6bc71

SHA256
801c5ad5a7853f375e15e1da7361e09b898d3c8770e291b8016eb207bba8c749

SHA512
1479aac1b970722f47cbf77a01b213c84885af15b06e293bf9137863cbce44238832c5f4298dc56ca41847718f581d2bb434220824ffc5d54c08f1e55156e82e

Download Submit
C:\hostNet\rlqSVEj.vbe

Filesize
230B

MD5
92408a105526970fa12ef23225de61ae

SHA1
bf70e8e671c10bf85771b2b8dd4549766cf79582

SHA256
b4f3f50e48c35a2d03d9e96175722f1c4669e8529c2347f4f17377b2ad726b10

SHA512
56df36df05187743357f3cda16f2b7791c4c760475b90f173ad3d0752475aee45e6549e062ee328f3b1f2ebd56aaa1bb9ceedb1f3200e2383455ac27e1cee043

Download Submit
C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat

Filesize
83B

MD5
02d21af8c5d6e8e0240a01325bcc4154

SHA1
ce58641040b6fe35d465a8a6932c277c7ff37ee5

SHA256
31498b70dce38481c709a35f22dbab0bde2be880abe88d6c90b7a96bf9f070b7

SHA512
758201561db3058e8d6d18c9a838fd49aa612fe0ef544479cc5776e4618ee4e90245b41b1bdb90257298c27fb6ee2589a262f8143816fa091be88a1ca977f7e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f3yn2udx\f3yn2udx.0.cs

Filesize
385B

MD5
26b77c48276c3ee90d3d92fa282fdec4

SHA1
780fff9d398496d0957048d8c7848c314b710e6e

SHA256
de0d1a91da61e84e9b4f59ad511012b786474d6ef98110f051594c46919d21ca

SHA512
441b36780d46a505f146103f8d075ea27f0f600655369aca88cd5eb8a7f680b516f31bc149138dbcfdcffe2c7622c19f50ae2ad33418b921fe8472d9f439cc2c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f3yn2udx\f3yn2udx.cmdline

Filesize
235B

MD5
19407eea4d51d646cccd38f4246ad6aa

SHA1
375e2cd1d0453d054e7113fa494e273e067baebb

SHA256
4bab59147744465bf6e3886e0738520d9fe32a80863fdbeafc999f5504bc50fa

SHA512
d21c990ab52a692668f9e577d145cfee3392c0d3b079d964120838346c1bd6623a9f233aed8f51144d0b255c00f4c98742cc7dcb0ba186cf55b06f2dda89bb2a

Download Submit
\??\c:\Windows\System32\CSC9A00495312214188BF5E6B8B391044D9.TMP

Filesize
1KB

MD5
d52087709e2274a5a9381789082a9d03

SHA1
e1f693bc2b4cd35e7abdea93dc0bb77ef6ddce59

SHA256
f4091edfc561d6d16cdb8f686a10ebade8c6a9239730fddb9c652a1c005790c2

SHA512
5e448e07b49f301dd1d815818527f88d32cac7e869cd8120651b940783a29a18c2b4ec87ad18ce3a85c6973e4b676d9499068e3b805c972b6a95660a3c7dae12

Download Submit
memory/1204-169-0x0000000002700000-0x000000000271C000-memory.dmp

Filesize
112KB

Download
memory/1204-225-0x000000001B0B0000-0x000000001B11B000-memory.dmp

Filesize
428KB

Download
memory/1204-174-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/1204-176-0x00000000026F0000-0x00000000026FC000-memory.dmp

Filesize
48KB

Download
memory/1204-170-0x000000001B060000-0x000000001B0B0000-memory.dmp

Filesize
320KB

Download
memory/1204-172-0x0000000002720000-0x0000000002738000-memory.dmp

Filesize
96KB

Download
memory/1204-167-0x0000000000CE0000-0x0000000000CEE000-memory.dmp

Filesize
56KB

Download
memory/1204-162-0x00000000002E0000-0x00000000004BE000-memory.dmp

Filesize
1.9MB

Download
memory/1212-272-0x00000270323A0000-0x00000270323C2000-memory.dmp

Filesize
136KB

Download
memory/2016-20-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

Filesize
10.8MB

Download
memory/2016-22-0x0000000000FD0000-0x0000000000FFA000-memory.dmp

Filesize
168KB

Download
memory/2016-142-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

Filesize
10.8MB

Download
memory/2744-141-0x0000025AF92D0000-0x0000025AF9310000-memory.dmp

Filesize
256KB

Download
memory/2744-296-0x0000025AFBA60000-0x0000025AFBAD6000-memory.dmp

Filesize
472KB

Download
memory/2744-297-0x0000025AFB0A0000-0x0000025AFB0BE000-memory.dmp

Filesize
120KB

Download
memory/2744-337-0x0000025AFB080000-0x0000025AFB08A000-memory.dmp

Filesize
40KB

Download
memory/2744-338-0x0000025AFB0E0000-0x0000025AFB0F2000-memory.dmp

Filesize
72KB

Download
memory/3128-25-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-0-0x00007FFA94B33000-0x00007FFA94B35000-memory.dmp

Filesize
8KB

Download
memory/3128-11-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-1-0x0000000000290000-0x0000000000476000-memory.dmp

Filesize
1.9MB

Download
memory/3536-741-0x000002AB78020000-0x000002AB7823C000-memory.dmp

Filesize
2.1MB

Download
memory/4252-139-0x0000000000DB0000-0x0000000000DC6000-memory.dmp

Filesize
88KB

Download