umbral | 4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara_Updater.exe
Size

1.9MB
MD5

f4cffd7e6cca2b88bba1f19120e9255f
SHA1

28df62794d325206d1f61a400b5c5c682632e371
SHA256

4a10203f9773e4a4f5173a3d1840461bed2b6c206e16b47543bb127a541192bf
SHA512

cb71ef2db087c012744fcac05033cab80947131029ae9bf59b57f85dd2f819e859f105919978a2af4334ac4b8f5b060f5f757b6898cb8fddd720a114b652bfe8
SSDEEP

49152:mH4Y2d/Pz0dB5h1qeU2V0ZBsvH1jBOtGQt/3c5DGqHQX+icSr:mH/QPz0d/pV0AvHLDh5HH4+i

Score

10^/10

umbral xworm execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

answer-riverside.gl.at.ply.gg:45691

Attributes

Install_directory
%AppData%
install_file
svhost.exe

Extracted

Family

umbral

https://discordapp.com/api/webhooks/1239665745831530598/iJT0OELt4O4igXW_VMu-CUIfcqaawXLhyC4Bruuv1t2x0XOvC0_p9dc-G_RxJMO7fn-V

Signatures

Detect Umbral payload 13 IoCs

resource	yara_rule
behavioral1/files/0x0008000000014251-83.dat	family_umbral
behavioral1/memory/2304-84-0x00000000013C0000-0x0000000001400000-memory.dmp	family_umbral
behavioral1/memory/1632-107-0x0000000000C50000-0x0000000000C90000-memory.dmp	family_umbral
behavioral1/memory/2828-237-0x00000000002B0000-0x00000000002F0000-memory.dmp	family_umbral
behavioral1/memory/2632-289-0x0000000000CB0000-0x0000000000CF0000-memory.dmp	family_umbral
behavioral1/memory/2064-309-0x0000000000840000-0x0000000000880000-memory.dmp	family_umbral
behavioral1/memory/2352-322-0x0000000001000000-0x0000000001040000-memory.dmp	family_umbral
behavioral1/memory/2472-334-0x00000000000B0000-0x00000000000F0000-memory.dmp	family_umbral
behavioral1/memory/2540-346-0x00000000001F0000-0x0000000000230000-memory.dmp	family_umbral
behavioral1/memory/2156-396-0x00000000010B0000-0x00000000010F0000-memory.dmp	family_umbral
behavioral1/memory/1944-444-0x00000000012C0000-0x0000000001300000-memory.dmp	family_umbral
behavioral1/memory/1724-456-0x00000000002C0000-0x0000000000300000-memory.dmp	family_umbral
behavioral1/memory/1740-468-0x00000000001E0000-0x0000000000220000-memory.dmp	family_umbral

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000e000000014183-77.dat	family_xworm
behavioral1/memory/1728-85-0x0000000000FF0000-0x0000000001006000-memory.dmp	family_xworm
behavioral1/memory/1868-364-0x0000000001320000-0x0000000001336000-memory.dmp	family_xworm

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\wscript.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Loader.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\wscript.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Loader.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\smss.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\wscript.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Loader.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\smss.exe\", \"C:\\Windows\\L2Schemas\\wscript.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\wscript.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Loader.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\smss.exe\", \"C:\\Windows\\L2Schemas\\wscript.exe\", \"C:\\Program Files\\Microsoft Games\\lsass.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\wscript.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Loader.exe\", \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\smss.exe\", \"C:\\Windows\\L2Schemas\\wscript.exe\", \"C:\\Program Files\\Microsoft Games\\lsass.exe\", \"C:\\hostNet\\bridgeblockportComBroker.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\wscript.exe\""	bridgeblockportComBroker.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2608	schtasks.exe	32

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2612	powershell.exe
2428	powershell.exe
324	powershell.exe
2648	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient.exe

Executes dropped EXE 64 IoCs

pid	Process
2300	Loader.exe
3024	sol.exe
2396	Loader.exe
1048	sol.exe
2940	Loader.exe
2632	sol.exe
2604	Loader.exe
2652	sol.exe
1696	Loader.exe
2056	sol.exe
592	Loader.exe
1036	sol.exe
1796	Loader.exe
1772	sol.exe
1852	Loader.exe
2312	sol.exe
1728	XClient.exe
2304	RustCheat.exe
2660	Loader.exe
2408	sol.exe
1976	Loader.exe
2956	sol.exe
2648	XClient.exe
1632	RustCheat.exe
2600	Loader.exe
2080	sol.exe
1824	Loader.exe
1880	sol.exe
3028	bridgeblockportComBroker.exe
1732	Loader.exe
2256	sol.exe
2832	bridgeblockportComBroker.exe
3060	Loader.exe
1776	sol.exe
2156	bridgeblockportComBroker.exe
1808	Loader.exe
2524	sol.exe
1612	bridgeblockportComBroker.exe
2364	Loader.exe
1764	sol.exe
2920	bridgeblockportComBroker.exe
1692	Loader.exe
1640	sol.exe
1776	bridgeblockportComBroker.exe
2636	Loader.exe
924	sol.exe
2892	bridgeblockportComBroker.exe
2624	Loader.exe
1736	sol.exe
1336	Loader.exe
1524	bridgeblockportComBroker.exe
1964	Loader.exe
1644	sol.exe
2832	bridgeblockportComBroker.exe
3060	Loader.exe
3000	sol.exe
872	XClient.exe
2828	RustCheat.exe
1064	bridgeblockportComBroker.exe
2036	Loader.exe
2748	sol.exe
712	bridgeblockportComBroker.exe
2644	Loader.exe
1988	sol.exe

Loads dropped DLL 59 IoCs

pid	Process
796	cmd.exe
796	cmd.exe
2768	cmd.exe
880	cmd.exe
2908	cmd.exe
1304	cmd.exe
1036	cmd.exe
2552	cmd.exe
3032	cmd.exe
1400	cmd.exe
2900	cmd.exe
584	cmd.exe
112	cmd.exe
2432	cmd.exe
2736	cmd.exe
784	cmd.exe
2248	cmd.exe
2356	cmd.exe
2164	cmd.exe
1724	cmd.exe
700	cmd.exe
2204	cmd.exe
2656	cmd.exe
1580	cmd.exe
2764	cmd.exe
2728	cmd.exe
1984	cmd.exe
700	cmd.exe
2204	cmd.exe
1968	cmd.exe
2156	cmd.exe
3060	cmd.exe
1580	cmd.exe
2472	cmd.exe
2256	cmd.exe
2712	cmd.exe
1744	cmd.exe
1448	cmd.exe
2412	cmd.exe
2864	cmd.exe
2612	cmd.exe
1056	cmd.exe
2096	cmd.exe
280	cmd.exe
2432	cmd.exe
912	cmd.exe
1012	cmd.exe
2528	cmd.exe
2972	cmd.exe
2520	cmd.exe
852	cmd.exe
1360	cmd.exe
2372	cmd.exe
1004	cmd.exe
2732	cmd.exe
3016	cmd.exe
1952	cmd.exe
2528	cmd.exe
1208	cmd.exe

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Windows\\L2Schemas\\wscript.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\smss.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\smss.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Users\\Default User\\wscript.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Microsoft Games\\lsass.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Windows\\L2Schemas\\wscript.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeblockportComBroker = "\"C:\\hostNet\\bridgeblockportComBroker.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Loader = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Loader.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loader = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\Loader.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Users\\Default User\\wscript.exe\""	bridgeblockportComBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Microsoft Games\\lsass.exe\""	bridgeblockportComBroker.exe

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com
40	ip-api.com
67	ip-api.com
4	ip-api.com
11	ip-api.com
15	ip-api.com
20	ipinfo.io
21	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCBF0C344258F4F859D469C5B633A3698.TMP	csc.exe
File created	\??\c:\Windows\System32\u7e72d.exe	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\lsass.exe	bridgeblockportComBroker.exe
File opened for modification	C:\Program Files\Microsoft Games\lsass.exe	bridgeblockportComBroker.exe
File created	C:\Program Files\Microsoft Games\6203df4a6bafc7	bridgeblockportComBroker.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\Loader.exe	bridgeblockportComBroker.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\87ba48885c7d9e	bridgeblockportComBroker.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\wscript.exe	bridgeblockportComBroker.exe
File created	C:\Windows\L2Schemas\817c8c8ec737a7	bridgeblockportComBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 19 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2968	schtasks.exe
2132	schtasks.exe
2128	schtasks.exe
2844	schtasks.exe
2252	schtasks.exe
1552	schtasks.exe
1124	schtasks.exe
2580	schtasks.exe
2872	schtasks.exe
2328	schtasks.exe
2976	schtasks.exe
2920	schtasks.exe
1048	schtasks.exe
1684	schtasks.exe
1992	schtasks.exe
2376	schtasks.exe
2000	schtasks.exe
1724	schtasks.exe
2012	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	bridgeblockportComBroker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	bridgeblockportComBroker.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2912	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe
3028	bridgeblockportComBroker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	Loader.exe
Token: SeDebugPrivilege	1728	XClient.exe
Token: SeDebugPrivilege	2304	RustCheat.exe
Token: SeDebugPrivilege	1852	Loader.exe
Token: SeIncreaseQuotaPrivilege	2000	wmic.exe
Token: SeSecurityPrivilege	2000	wmic.exe
Token: SeTakeOwnershipPrivilege	2000	wmic.exe
Token: SeLoadDriverPrivilege	2000	wmic.exe
Token: SeSystemProfilePrivilege	2000	wmic.exe
Token: SeSystemtimePrivilege	2000	wmic.exe
Token: SeProfSingleProcessPrivilege	2000	wmic.exe
Token: SeIncBasePriorityPrivilege	2000	wmic.exe
Token: SeCreatePagefilePrivilege	2000	wmic.exe
Token: SeBackupPrivilege	2000	wmic.exe
Token: SeRestorePrivilege	2000	wmic.exe
Token: SeShutdownPrivilege	2000	wmic.exe
Token: SeDebugPrivilege	2000	wmic.exe
Token: SeSystemEnvironmentPrivilege	2000	wmic.exe
Token: SeRemoteShutdownPrivilege	2000	wmic.exe
Token: SeUndockPrivilege	2000	wmic.exe
Token: SeManageVolumePrivilege	2000	wmic.exe
Token: 33	2000	wmic.exe
Token: 34	2000	wmic.exe
Token: 35	2000	wmic.exe
Token: SeIncreaseQuotaPrivilege	2000	wmic.exe
Token: SeSecurityPrivilege	2000	wmic.exe
Token: SeTakeOwnershipPrivilege	2000	wmic.exe
Token: SeLoadDriverPrivilege	2000	wmic.exe
Token: SeSystemProfilePrivilege	2000	wmic.exe
Token: SeSystemtimePrivilege	2000	wmic.exe
Token: SeProfSingleProcessPrivilege	2000	wmic.exe
Token: SeIncBasePriorityPrivilege	2000	wmic.exe
Token: SeCreatePagefilePrivilege	2000	wmic.exe
Token: SeBackupPrivilege	2000	wmic.exe
Token: SeRestorePrivilege	2000	wmic.exe
Token: SeShutdownPrivilege	2000	wmic.exe
Token: SeDebugPrivilege	2000	wmic.exe
Token: SeSystemEnvironmentPrivilege	2000	wmic.exe
Token: SeRemoteShutdownPrivilege	2000	wmic.exe
Token: SeUndockPrivilege	2000	wmic.exe
Token: SeManageVolumePrivilege	2000	wmic.exe
Token: 33	2000	wmic.exe
Token: 34	2000	wmic.exe
Token: 35	2000	wmic.exe
Token: SeDebugPrivilege	2648	XClient.exe
Token: SeDebugPrivilege	1632	RustCheat.exe
Token: SeDebugPrivilege	1976	Loader.exe
Token: SeIncreaseQuotaPrivilege	2032	wmic.exe
Token: SeSecurityPrivilege	2032	wmic.exe
Token: SeTakeOwnershipPrivilege	2032	wmic.exe
Token: SeLoadDriverPrivilege	2032	wmic.exe
Token: SeSystemProfilePrivilege	2032	wmic.exe
Token: SeSystemtimePrivilege	2032	wmic.exe
Token: SeProfSingleProcessPrivilege	2032	wmic.exe
Token: SeIncBasePriorityPrivilege	2032	wmic.exe
Token: SeCreatePagefilePrivilege	2032	wmic.exe
Token: SeBackupPrivilege	2032	wmic.exe
Token: SeRestorePrivilege	2032	wmic.exe
Token: SeShutdownPrivilege	2032	wmic.exe
Token: SeDebugPrivilege	2032	wmic.exe
Token: SeSystemEnvironmentPrivilege	2032	wmic.exe
Token: SeRemoteShutdownPrivilege	2032	wmic.exe
Token: SeUndockPrivilege	2032	wmic.exe
Token: SeManageVolumePrivilege	2032	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2300	2364	Solara_Updater.exe	28
PID 2364 wrote to memory of 2300	2364	Solara_Updater.exe	28
PID 2364 wrote to memory of 2300	2364	Solara_Updater.exe	28
PID 2364 wrote to memory of 3024	2364	Solara_Updater.exe	29
PID 2364 wrote to memory of 3024	2364	Solara_Updater.exe	29
PID 2364 wrote to memory of 3024	2364	Solara_Updater.exe	29
PID 2364 wrote to memory of 3024	2364	Solara_Updater.exe	29
PID 2364 wrote to memory of 2528	2364	Solara_Updater.exe	30
PID 2364 wrote to memory of 2528	2364	Solara_Updater.exe	30
PID 2364 wrote to memory of 2528	2364	Solara_Updater.exe	30
PID 3024 wrote to memory of 2820	3024	sol.exe	31
PID 3024 wrote to memory of 2820	3024	sol.exe	31
PID 3024 wrote to memory of 2820	3024	sol.exe	31
PID 3024 wrote to memory of 2820	3024	sol.exe	31
PID 2528 wrote to memory of 2396	2528	Solara_Updater.exe	33
PID 2528 wrote to memory of 2396	2528	Solara_Updater.exe	33
PID 2528 wrote to memory of 2396	2528	Solara_Updater.exe	33
PID 2528 wrote to memory of 1048	2528	Solara_Updater.exe	34
PID 2528 wrote to memory of 1048	2528	Solara_Updater.exe	34
PID 2528 wrote to memory of 1048	2528	Solara_Updater.exe	34
PID 2528 wrote to memory of 1048	2528	Solara_Updater.exe	34
PID 2528 wrote to memory of 3032	2528	Solara_Updater.exe	35
PID 2528 wrote to memory of 3032	2528	Solara_Updater.exe	35
PID 2528 wrote to memory of 3032	2528	Solara_Updater.exe	35
PID 1048 wrote to memory of 2488	1048	sol.exe	36
PID 1048 wrote to memory of 2488	1048	sol.exe	36
PID 1048 wrote to memory of 2488	1048	sol.exe	36
PID 1048 wrote to memory of 2488	1048	sol.exe	36
PID 3032 wrote to memory of 2940	3032	Solara_Updater.exe	37
PID 3032 wrote to memory of 2940	3032	Solara_Updater.exe	37
PID 3032 wrote to memory of 2940	3032	Solara_Updater.exe	37
PID 3032 wrote to memory of 2632	3032	Solara_Updater.exe	38
PID 3032 wrote to memory of 2632	3032	Solara_Updater.exe	38
PID 3032 wrote to memory of 2632	3032	Solara_Updater.exe	38
PID 3032 wrote to memory of 2632	3032	Solara_Updater.exe	38
PID 3032 wrote to memory of 2584	3032	Solara_Updater.exe	39
PID 3032 wrote to memory of 2584	3032	Solara_Updater.exe	39
PID 3032 wrote to memory of 2584	3032	Solara_Updater.exe	39
PID 2632 wrote to memory of 2636	2632	sol.exe	40
PID 2632 wrote to memory of 2636	2632	sol.exe	40
PID 2632 wrote to memory of 2636	2632	sol.exe	40
PID 2632 wrote to memory of 2636	2632	sol.exe	40
PID 2584 wrote to memory of 2604	2584	Solara_Updater.exe	41
PID 2584 wrote to memory of 2604	2584	Solara_Updater.exe	41
PID 2584 wrote to memory of 2604	2584	Solara_Updater.exe	41
PID 2584 wrote to memory of 2652	2584	Solara_Updater.exe	42
PID 2584 wrote to memory of 2652	2584	Solara_Updater.exe	42
PID 2584 wrote to memory of 2652	2584	Solara_Updater.exe	42
PID 2584 wrote to memory of 2652	2584	Solara_Updater.exe	42
PID 2584 wrote to memory of 1848	2584	Solara_Updater.exe	43
PID 2584 wrote to memory of 1848	2584	Solara_Updater.exe	43
PID 2584 wrote to memory of 1848	2584	Solara_Updater.exe	43
PID 2652 wrote to memory of 1680	2652	sol.exe	44
PID 2652 wrote to memory of 1680	2652	sol.exe	44
PID 2652 wrote to memory of 1680	2652	sol.exe	44
PID 2652 wrote to memory of 1680	2652	sol.exe	44
PID 1848 wrote to memory of 1696	1848	Solara_Updater.exe	45
PID 1848 wrote to memory of 1696	1848	Solara_Updater.exe	45
PID 1848 wrote to memory of 1696	1848	Solara_Updater.exe	45
PID 1848 wrote to memory of 2056	1848	Solara_Updater.exe	46
PID 1848 wrote to memory of 2056	1848	Solara_Updater.exe	46
PID 1848 wrote to memory of 2056	1848	Solara_Updater.exe	46
PID 1848 wrote to memory of 2056	1848	Solara_Updater.exe	46
PID 1848 wrote to memory of 2032	1848	Solara_Updater.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2428
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
      4⤵
      Creates scheduled task(s)
      PID:2968
- - C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
    "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2000
- C:\Users\Admin\AppData\Local\Temp\sol.exe
  "C:\Users\Admin\AppData\Local\Temp\sol.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
    3⤵
    PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
      4⤵
      Loads dropped DLL
      PID:796
    - - C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:3028
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\31pe04wo\31pe04wo.cmdline"
        6⤵
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D79.tmp" "c:\Windows\System32\CSCBF0C344258F4F859D469C5B633A3698.TMP"
        7⤵
        
        PID:2632
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z9an11PxpP.bat"
        6⤵
        
        PID:2872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:2912
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\Loader.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\Loader.exe"
        7⤵
        Executes dropped EXE
        
        PID:1336
- C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    3⤵
    - Executes dropped EXE
    PID:2396
- - C:\Users\Admin\AppData\Local\Temp\sol.exe
    "C:\Users\Admin\AppData\Local\Temp\sol.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
      4⤵
      PID:2488
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        5⤵
        Loads dropped DLL
        
        PID:2768
      - C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        6⤵
        Executes dropped EXE
        
        PID:2832
- - C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
      4⤵
      Executes dropped EXE
      PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\sol.exe
      "C:\Users\Admin\AppData\Local\Temp\sol.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        5⤵
        
        PID:2636
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        6⤵
        Loads dropped DLL
        
        PID:880
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        7⤵
        Executes dropped EXE
        
        PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
      "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        5⤵
        Executes dropped EXE
        
        PID:2604
    - - C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        6⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        7⤵
        Loads dropped DLL
        
        PID:2908
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        8⤵
        Executes dropped EXE
        
        PID:1612
    - - C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1848
      - C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        6⤵
        Executes dropped EXE
        
        PID:1696
      - C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        6⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        7⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        8⤵
        Loads dropped DLL
        
        PID:1304
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        9⤵
        Executes dropped EXE
        
        PID:2920
      - C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        6⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        7⤵
        Executes dropped EXE
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        7⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        8⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        9⤵
        Loads dropped DLL
        
        PID:1036
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        10⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        7⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        8⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        8⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        9⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        10⤵
        Loads dropped DLL
        
        PID:2552
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        11⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        8⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        9⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        10⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        11⤵
        Loads dropped DLL
        
        PID:3032
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        12⤵
        Executes dropped EXE
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        9⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        10⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        10⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        11⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        12⤵
        Loads dropped DLL
        
        PID:1400
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        13⤵
        Executes dropped EXE
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        10⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        12⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        12⤵
        Executes dropped EXE
        
        PID:2828
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        13⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        11⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        12⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        13⤵
        Loads dropped DLL
        
        PID:2900
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        14⤵
        Executes dropped EXE
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        11⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        12⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        12⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        13⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        14⤵
        Loads dropped DLL
        
        PID:584
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        15⤵
        Executes dropped EXE
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        12⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        13⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        13⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        14⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        15⤵
        Loads dropped DLL
        
        PID:112
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        16⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        13⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        14⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        14⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        15⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        16⤵
        Loads dropped DLL
        
        PID:2432
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        17⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        14⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        15⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        15⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        16⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        17⤵
        Loads dropped DLL
        
        PID:2736
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        18⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        15⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        16⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        16⤵
        Executes dropped EXE
        
        PID:2524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        17⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        18⤵
        Loads dropped DLL
        
        PID:784
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        19⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        16⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        17⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        17⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        18⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        19⤵
        Loads dropped DLL
        
        PID:2248
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        20⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        17⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        18⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        18⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        19⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        20⤵
        Loads dropped DLL
        
        PID:2356
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        21⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        18⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        19⤵
        Executes dropped EXE
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        19⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        20⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        21⤵
        Loads dropped DLL
        
        PID:2164
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        22⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        19⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        20⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        20⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        21⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        22⤵
        Loads dropped DLL
        
        PID:1724
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        23⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        20⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        21⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        21⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        22⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        23⤵
        Loads dropped DLL
        
        PID:700
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        24⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        21⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        22⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        23⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        23⤵
        
        PID:2632
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        22⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        23⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        24⤵
        Loads dropped DLL
        
        PID:2204
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        25⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        22⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        23⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        23⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        24⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        25⤵
        Loads dropped DLL
        
        PID:2656
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        26⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        23⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        24⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        24⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        25⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        26⤵
        Loads dropped DLL
        
        PID:1580
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        27⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        24⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        25⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        25⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        26⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        27⤵
        Loads dropped DLL
        
        PID:2764
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        28⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        25⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        26⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        26⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        27⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        28⤵
        Loads dropped DLL
        
        PID:2728
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        29⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        26⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        27⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        27⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        28⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        29⤵
        Loads dropped DLL
        
        PID:1984
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        30⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        27⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        28⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        28⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        29⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        30⤵
        Loads dropped DLL
        
        PID:700
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        31⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        28⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        29⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        29⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        30⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        31⤵
        Loads dropped DLL
        
        PID:2204
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        32⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        29⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        30⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        30⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        31⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        32⤵
        Loads dropped DLL
        
        PID:1968
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        33⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        30⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        31⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        31⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        32⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        33⤵
        Loads dropped DLL
        
        PID:2156
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        34⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        31⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        32⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        32⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        33⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        34⤵
        Loads dropped DLL
        
        PID:3060
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        35⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        32⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        33⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        34⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        34⤵
        
        PID:2064
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        35⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        33⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        34⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        35⤵
        Loads dropped DLL
        
        PID:1580
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        36⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        33⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        34⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        34⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        35⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        36⤵
        Loads dropped DLL
        
        PID:2472
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        37⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        34⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        35⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        35⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        36⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        37⤵
        Loads dropped DLL
        
        PID:2256
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        38⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        35⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        36⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        36⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        37⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        38⤵
        Loads dropped DLL
        
        PID:2712
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        39⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        36⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        37⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        38⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        38⤵
        
        PID:2352
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        39⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        37⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        38⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        39⤵
        Loads dropped DLL
        
        PID:1744
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        40⤵
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        37⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        38⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        38⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        39⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        40⤵
        Loads dropped DLL
        
        PID:1448
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        41⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        38⤵
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        39⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        40⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        40⤵
        
        PID:2472
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        41⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        39⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        40⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        41⤵
        Loads dropped DLL
        
        PID:2412
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        42⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        39⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        40⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        40⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        41⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        42⤵
        Loads dropped DLL
        
        PID:2864
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        43⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        40⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        41⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        42⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        42⤵
        
        PID:2540
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        43⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        41⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        42⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        43⤵
        Loads dropped DLL
        
        PID:2612
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        44⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        41⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        42⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        42⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        43⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        44⤵
        Loads dropped DLL
        
        PID:1056
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        45⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        42⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        43⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        44⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        44⤵
        
        PID:2156
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        45⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        43⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        44⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        45⤵
        Loads dropped DLL
        
        PID:2096
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        46⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        43⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        44⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        44⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        45⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        46⤵
        Loads dropped DLL
        
        PID:280
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        47⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        44⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        45⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        45⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        46⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        47⤵
        Loads dropped DLL
        
        PID:2432
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        48⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        45⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        46⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        46⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        47⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        48⤵
        Loads dropped DLL
        
        PID:912
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        49⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        46⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        47⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        47⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        48⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        49⤵
        Loads dropped DLL
        
        PID:1012
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        50⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        47⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        48⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        48⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        49⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        50⤵
        Loads dropped DLL
        
        PID:2528
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        51⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        48⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        49⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        49⤵
        
        PID:896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        50⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        51⤵
        Loads dropped DLL
        
        PID:2972
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        52⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        49⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        50⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        50⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        51⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        52⤵
        Loads dropped DLL
        
        PID:2520
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        53⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        50⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        51⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        51⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        52⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        53⤵
        Loads dropped DLL
        
        PID:852
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        54⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        51⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        52⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        52⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        53⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        54⤵
        Loads dropped DLL
        
        PID:1360
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        55⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        52⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        53⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        53⤵
        
        PID:400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        54⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        55⤵
        Loads dropped DLL
        
        PID:2372
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        56⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        53⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        54⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        55⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        55⤵
        
        PID:1944
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        56⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        54⤵
        
        PID:784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        55⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        56⤵
        Loads dropped DLL
        
        PID:1004
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        57⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        54⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        55⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        55⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        56⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        57⤵
        Loads dropped DLL
        
        PID:2732
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        58⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        55⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        56⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        56⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        57⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        58⤵
        Loads dropped DLL
        
        PID:3016
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        59⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        56⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        57⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        57⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        58⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        59⤵
        Loads dropped DLL
        
        PID:1952
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        60⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        57⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        58⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        58⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        59⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        60⤵
        Loads dropped DLL
        
        PID:2528
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        61⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        58⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        59⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        59⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        60⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat" "
        61⤵
        Loads dropped DLL
        
        PID:1208
        
        C:\hostNet\bridgeblockportComBroker.exe
        
        "C:\hostNet/bridgeblockportComBroker.exe"
        62⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        59⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        60⤵
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        60⤵
        
        PID:888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        61⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        60⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        61⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        61⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        62⤵
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        61⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        62⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        62⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        63⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        62⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        63⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        63⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        64⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        63⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        64⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        64⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        65⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        64⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        65⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        66⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        66⤵
        
        PID:1724
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        67⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        65⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        66⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        65⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        66⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        66⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        67⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        66⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        67⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        68⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        68⤵
        
        PID:1740
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        69⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        67⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        68⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        67⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        68⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        68⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        69⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        68⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        69⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        69⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        70⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        69⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        70⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        70⤵
        
        PID:880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        71⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        70⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        71⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\sol.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sol.exe"
        71⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\hostNet\rlqSVEj.vbe"
        72⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara_Updater.exe"
        71⤵
        
        PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Users\Default User\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "LoaderL" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\Loader.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Loader" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\Loader.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "LoaderL" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\Loader.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Windows\L2Schemas\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Games\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 6 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBroker" /sc ONLOGON /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeblockportComBrokerb" /sc MINUTE /mo 5 /tr "'C:\hostNet\bridgeblockportComBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\taskeng.exe
taskeng.exe {9EBDDAF8-8F23-465D-8030-11C530D2F6B5} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
PID:2752
- C:\Users\Admin\AppData\Roaming\svhost.exe
  C:\Users\Admin\AppData\Roaming\svhost.exe
  2⤵
  PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
139KB

MD5
8f77f8b13b914f358059e3f7b9ddab70

SHA1
d406a28486b4dd881c454e526e149b98c0ec8462

SHA256
c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6

SHA512
b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7D79.tmp

Filesize
1KB

MD5
596f17fc0598e7dcab2f7333ee64c6b7

SHA1
3bbd9e3de200026d7e1b77ebf4a2552c34871f97

SHA256
410d1f016c2ccd1b2ae20e9dd80c2f82fb6c46632781aba35ddee4a3f137f23a

SHA512
c3473a6442a29efe9e3172669a5980e468201a2dd61fb0d3794d5ce419dba2468081fda01612444398ff1d959b354186fc72065f9da6924ebf49e41ed6ecaf17

Download Submit
C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

Filesize
231KB

MD5
ff8f5c2670894f74456e534b34d6a8fe

SHA1
e0b35ae06f68adf07e4616da8e91bb1f935e492a

SHA256
d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37

SHA512
a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
60KB

MD5
28ff989c1d462f567aabb9c5ba76456b

SHA1
24be926b14f64f6a9f5b8248d1618bae9a7fc0b2

SHA256
a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d

SHA512
2e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba

Download Submit
C:\Users\Admin\AppData\Local\Temp\sol.exe

Filesize
2.1MB

MD5
25daefc71be60b76cb49fc81424d768d

SHA1
48be475dd36b433d62d4f7fed9b4d81a90122dee

SHA256
1b27df9e577ab790cafdae0b1ef25ccecdf5f7e2a1ede0d83a3ca32e2987d80a

SHA512
e343905d83bdf353fe759ba5dc4de5bc2e7b1e465066bb4d09388209151e72dfd8df7da780882c533cdc3ee24933de123a8630d6a177bba0ad4d65efc39fadfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QSDL49DPDBWWAW9ZRN72.temp

Filesize
7KB

MD5
998f3b2e5306ff77fc59ebb699577db3

SHA1
3ec4bd108352fbd2d437370344bd5ec0777f3bd0

SHA256
987effb921a246386736ed61f9d689a766e0747b89a5ef4f29beef8c21767f86

SHA512
f15bc95ca0639fb65fd1a8b03fbca2f69e8d2515c095634afa900df465d91863083d91adb0ed0133f7829151ed9ecabb7710f2ff9b5d259cc6fe87c51f4f8890

Download Submit
C:\hostNet\rlqSVEj.vbe

Filesize
230B

MD5
92408a105526970fa12ef23225de61ae

SHA1
bf70e8e671c10bf85771b2b8dd4549766cf79582

SHA256
b4f3f50e48c35a2d03d9e96175722f1c4669e8529c2347f4f17377b2ad726b10

SHA512
56df36df05187743357f3cda16f2b7791c4c760475b90f173ad3d0752475aee45e6549e062ee328f3b1f2ebd56aaa1bb9ceedb1f3200e2383455ac27e1cee043

Download Submit
C:\hostNet\zzWFhk48sL1XAtcm8ZFwrdJ4Z261odQNEr02ajJCwirw.bat

Filesize
83B

MD5
02d21af8c5d6e8e0240a01325bcc4154

SHA1
ce58641040b6fe35d465a8a6932c277c7ff37ee5

SHA256
31498b70dce38481c709a35f22dbab0bde2be880abe88d6c90b7a96bf9f070b7

SHA512
758201561db3058e8d6d18c9a838fd49aa612fe0ef544479cc5776e4618ee4e90245b41b1bdb90257298c27fb6ee2589a262f8143816fa091be88a1ca977f7e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\31pe04wo\31pe04wo.0.cs

Filesize
365B

MD5
a1245ed6b4b895fa6e1c6ac6e55a1dc0

SHA1
9c52c00b27c35438cecb1649483c58f1192c2616

SHA256
d5926949c2371b39b59bc0d27df29a3ff140b9fda1ff5ce165cd8866b20a68ec

SHA512
b9ccb55ad9a7208dc8d6be0341edd8ed61391441e00e9368fccf2f8db8dd1b0d619f4bbf5b98230a8280fc9e5fb674a6a0f41a872452ccb329a9951b5e1b3c2b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\31pe04wo\31pe04wo.cmdline

Filesize
235B

MD5
0102a21b62efb3879058619eb36d3e48

SHA1
9e1cb44227d99a0edcab05f9fb6463c8d8d86822

SHA256
f5db2ef1969021a605af0c8353834639557b51852e8bf19701df5c9a7935e242

SHA512
6370f5e259d7660e37000cfa33722deb80652338298485d21875d3ff43b9a77af3ef4c42e53484bb41c02d8c8c4a4a4b430fb4386cc436613afdc9f4106e31e0

Download Submit
\??\c:\Windows\System32\CSCBF0C344258F4F859D469C5B633A3698.TMP

Filesize
1KB

MD5
984924caf6574026769de34f35c2358e

SHA1
6dd41e492235d812252231912aa025f47fa7a9e7

SHA256
2bf5f65c8161575847113a1b4194625204c6ddce042f9b3432011c31348bb986

SHA512
5918fdc8d27ff5421dea1455df93c6cf85738e94c5079701ba7fded59b01bda482b70e2a500ba2c2aebedb6d2b0815d094d9bb271133de738f9e630167f6be46

Download Submit
\hostNet\bridgeblockportComBroker.exe

Filesize
1.8MB

MD5
8ccc428a5a6f6139dc191d332f3de08b

SHA1
ae550a8fb67deeb1350020aa3fe8b0339db6bc71

SHA256
801c5ad5a7853f375e15e1da7361e09b898d3c8770e291b8016eb207bba8c749

SHA512
1479aac1b970722f47cbf77a01b213c84885af15b06e293bf9137863cbce44238832c5f4298dc56ca41847718f581d2bb434220824ffc5d54c08f1e55156e82e

Download Submit
memory/324-213-0x0000000002C00000-0x0000000002C08000-memory.dmp

Filesize
32KB

Download
memory/324-212-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/1336-203-0x00000000012F0000-0x00000000014CE000-memory.dmp

Filesize
1.9MB

Download
memory/1632-107-0x0000000000C50000-0x0000000000C90000-memory.dmp

Filesize
256KB

Download
memory/1724-456-0x00000000002C0000-0x0000000000300000-memory.dmp

Filesize
256KB

Download
memory/1728-85-0x0000000000FF0000-0x0000000001006000-memory.dmp

Filesize
88KB

Download
memory/1740-468-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download
memory/1868-364-0x0000000001320000-0x0000000001336000-memory.dmp

Filesize
88KB

Download
memory/1944-444-0x00000000012C0000-0x0000000001300000-memory.dmp

Filesize
256KB

Download
memory/2064-309-0x0000000000840000-0x0000000000880000-memory.dmp

Filesize
256KB

Download
memory/2156-396-0x00000000010B0000-0x00000000010F0000-memory.dmp

Filesize
256KB

Download
memory/2300-7-0x00000000002D0000-0x00000000002FA000-memory.dmp

Filesize
168KB

Download
memory/2300-86-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/2300-11-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/2304-84-0x00000000013C0000-0x0000000001400000-memory.dmp

Filesize
256KB

Download
memory/2352-322-0x0000000001000000-0x0000000001040000-memory.dmp

Filesize
256KB

Download
memory/2364-16-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/2364-0-0x000007FEF5FA3000-0x000007FEF5FA4000-memory.dmp

Filesize
4KB

Download
memory/2364-10-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/2364-1-0x0000000000240000-0x0000000000426000-memory.dmp

Filesize
1.9MB

Download
memory/2428-232-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2428-233-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/2472-334-0x00000000000B0000-0x00000000000F0000-memory.dmp

Filesize
256KB

Download
memory/2540-346-0x00000000001F0000-0x0000000000230000-memory.dmp

Filesize
256KB

Download
memory/2632-289-0x0000000000CB0000-0x0000000000CF0000-memory.dmp

Filesize
256KB

Download
memory/2648-218-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2648-219-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/2828-237-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/3028-144-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/3028-142-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/3028-140-0x0000000000AA0000-0x0000000000AB8000-memory.dmp

Filesize
96KB

Download
memory/3028-138-0x0000000000640000-0x000000000065C000-memory.dmp

Filesize
112KB

Download
memory/3028-136-0x0000000000610000-0x000000000061E000-memory.dmp

Filesize
56KB

Download
memory/3028-127-0x0000000000B50000-0x0000000000D2E000-memory.dmp

Filesize
1.9MB

Download