exelastealer | b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd

Analysis

max time kernel
149s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12-01-2025 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara.exe
Size

13.7MB
MD5

cc6d7a6b17febe201b7f7d26ce944c08
SHA1

231e8439c0facca7cc4b730bf950351d48e3a7c2
SHA256

b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd
SHA512

c2abd5a8a59e09951df3d17b591442097cb2615a57abbef9afee9660dcd59ece483ca9a6ab4e83a622235eef4c75ef64dc2b32b58829cef8c485e1517e9ba652
SSDEEP

393216:KsEANEX3gBGYVwwoE0VhUqE7SlO9h4m/a360m:KhIEX3kGN/XBEWs4EA60m

Score

10^/10

exelastealer collection defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller ransomware spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Renames multiple (52) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4212	powershell.exe
4104	powershell.exe
3600	powershell.exe
1004	powershell.exe
240	powershell.exe
2208	powershell.exe
1176	powershell.exe
2636	powershell.exe
5636	powershell.exe
5248	powershell.exe
4988	powershell.exe
556	powershell.exe
3120	powershell.exe
5572	powershell.exe
5488	powershell.exe
1500	powershell.exe
6068	powershell.exe
3092	powershell.exe
5672	powershell.exe
4984	powershell.exe
5572	powershell.exe
3716	powershell.exe
5416	powershell.exe
2260	powershell.exe
3296	powershell.exe
3432	powershell.exe
3984	powershell.exe
4284	powershell.exe
5996	powershell.exe
4736	powershell.exe
4416	powershell.exe
3568	powershell.exe
3672	powershell.exe
4268	powershell.exe
5548	powershell.exe
5396	powershell.exe
2860	powershell.exe
5292	powershell.exe
5248	powershell.exe
2632	powershell.exe
3336	powershell.exe
1036	powershell.exe
4764	powershell.exe
3632	powershell.exe
5376	powershell.exe
2460	powershell.exe
1924	powershell.exe
3712	powershell.exe
5956	powershell.exe
4444	powershell.exe
4484	powershell.exe
2196	powershell.exe
1864	powershell.exe
128	powershell.exe
1216	powershell.exe
4240	powershell.exe
5176	powershell.exe
4956	powershell.exe
3740	powershell.exe
3620	powershell.exe
1384	powershell.exe
2344	powershell.exe
4460	powershell.exe
5196	powershell.exe

Modifies Windows Firewall 2 TTPs 6 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5080	netsh.exe
4212	netsh.exe
2148	netsh.exe
4920	netsh.exe
2964	netsh.exe
1908	netsh.exe

Clipboard Data 1 TTPs 6 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5340	powershell.exe
3128	cmd.exe
4104	powershell.exe
5612	cmd.exe
6040	powershell.exe
3088	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
4672	Exela.exe
808	Exela.exe
5604	Exela.exe
5276	Exela.exe
720	Exela.exe
3348	Exela.exe
2872	Exela.exe
2468	Exela.exe
3084	Exela.exe
5592	Exela.exe
4092	Exela.exe
5372	Exela.exe
5476	Exela.exe
5444	Exela.exe
4936	Exela.exe
3908	Exela.exe
4552	Exela.exe
6052	Exela.exe
2960	Exela.exe
3088	Exela.exe
3812	Exela.exe
5180	Exela.exe
2000	Exela.exe
3804	Exela.exe
2980	Exela.exe
6076	Exela.exe
248	Exela.exe
4368	Exela.exe
3000	Exela.exe
4936	Exela.exe
1948	Exela.exe
5380	Exela.exe
5024	Exela.exe
1576	Exela.exe
1900	Exela.exe
5992	Exela.exe
4056	Exela.exe
2248	Exela.exe
3320	Exela.exe
4832	Exela.exe
2040	Exela.exe
3808	Exela.exe
1892	Exela.exe
2032	Exela.exe
3624	Exela.exe
5968	Exela.exe
4808	Exela.exe
5972	Exela.exe
2204	Exela.exe
4800	Exela.exe
2092	Exela.exe
3672	Exela.exe
5444	Exela.exe
3152	Exela.exe
3596	Exela.exe
2032	Exela.exe
3380	Exela.exe
236	Exela.exe
4404	Exela.exe
1884	Exela.exe
2924	Exela.exe
2032	Exela.exe
5528	Exela.exe
4084	Exela.exe

Loads dropped DLL 64 IoCs

pid	Process
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
808	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
808	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
5276	Exela.exe
3348	Exela.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Network Service Discovery 1 TTPs 6 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5728	ARP.EXE
5996	cmd.exe
1348	ARP.EXE
2704	cmd.exe
3036	ARP.EXE
5256	cmd.exe

Enumerates processes with tasklist 1 TTPs 15 IoCs

discovery

Process Discovery

T1057

pid	Process
3704	tasklist.exe
1268	tasklist.exe
4968	tasklist.exe
3808	tasklist.exe
1580	tasklist.exe
1304	tasklist.exe
2196	tasklist.exe
416	tasklist.exe
5276	tasklist.exe
5420	tasklist.exe
3120	tasklist.exe
1216	tasklist.exe
3924	tasklist.exe
5688	tasklist.exe
2320	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2764	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002abcf-92.dat	upx
behavioral1/memory/808-95-0x00007FFF62FB0000-0x00007FFF6341E000-memory.dmp	upx
behavioral1/files/0x001900000002ab88-99.dat	upx
behavioral1/memory/808-105-0x00007FFF67970000-0x00007FFF67994000-memory.dmp	upx
behavioral1/files/0x001900000002abc3-104.dat	upx
behavioral1/memory/808-126-0x00007FFF6CC80000-0x00007FFF6CC8F000-memory.dmp	upx
behavioral1/files/0x001900000002abd0-129.dat	upx
behavioral1/memory/808-130-0x00007FFF68AF0000-0x00007FFF68AFD000-memory.dmp	upx
behavioral1/files/0x001900000002ab8b-133.dat	upx
behavioral1/files/0x001000000002abd3-137.dat	upx
behavioral1/memory/808-138-0x00007FFF634D0000-0x00007FFF63641000-memory.dmp	upx
behavioral1/files/0x001c00000002abc2-143.dat	upx
behavioral1/files/0x001900000002ab8a-151.dat	upx
behavioral1/memory/808-165-0x00007FFF66720000-0x00007FFF66735000-memory.dmp	upx
behavioral1/memory/808-164-0x00007FFF636D0000-0x00007FFF636EB000-memory.dmp	upx
behavioral1/files/0x001900000002ab97-171.dat	upx
behavioral1/memory/808-180-0x00007FFF66880000-0x00007FFF6689F000-memory.dmp	upx
behavioral1/memory/808-179-0x00007FFF67960000-0x00007FFF6796A000-memory.dmp	upx
behavioral1/memory/808-178-0x00007FFF63420000-0x00007FFF63452000-memory.dmp	upx
behavioral1/files/0x001900000002ab9d-177.dat	upx
behavioral1/memory/808-176-0x00007FFF63460000-0x00007FFF63471000-memory.dmp	upx
behavioral1/memory/808-175-0x00007FFF63480000-0x00007FFF634CD000-memory.dmp	upx
behavioral1/files/0x001900000002ab9a-173.dat	upx
behavioral1/memory/808-170-0x00007FFF636B0000-0x00007FFF636C8000-memory.dmp	upx
behavioral1/memory/808-169-0x00007FFF68C00000-0x00007FFF68C19000-memory.dmp	upx
behavioral1/files/0x001c00000002ab98-167.dat	upx
behavioral1/memory/808-163-0x00007FFF62DD0000-0x00007FFF62EE8000-memory.dmp	upx
behavioral1/memory/808-162-0x00007FFF639D0000-0x00007FFF639F2000-memory.dmp	upx
behavioral1/memory/808-161-0x00007FFF666E0000-0x00007FFF666F4000-memory.dmp	upx
behavioral1/memory/808-160-0x00007FFF66700000-0x00007FFF66714000-memory.dmp	upx
behavioral1/memory/808-159-0x00007FFF68AE0000-0x00007FFF68AF0000-memory.dmp	upx
behavioral1/memory/808-158-0x00007FFF67970000-0x00007FFF67994000-memory.dmp	upx
behavioral1/memory/808-157-0x00007FFF4FDF0000-0x00007FFF50165000-memory.dmp	upx
behavioral1/files/0x001900000002abca-156.dat	upx
behavioral1/files/0x001900000002abd6-153.dat	upx
behavioral1/files/0x001c00000002abc8-150.dat	upx
behavioral1/files/0x001900000002abd4-154.dat	upx
behavioral1/memory/808-181-0x00007FFF62DB0000-0x00007FFF62DCE000-memory.dmp	upx
behavioral1/files/0x001900000002ab8d-148.dat	upx
behavioral1/files/0x001900000002ab84-147.dat	upx
behavioral1/memory/808-182-0x00007FFF66850000-0x00007FFF6687E000-memory.dmp	upx
behavioral1/memory/808-145-0x00007FFF62EF0000-0x00007FFF62FA8000-memory.dmp	upx
behavioral1/memory/808-144-0x00007FFF62FB0000-0x00007FFF6341E000-memory.dmp	upx
behavioral1/memory/808-184-0x00007FFF4FDF0000-0x00007FFF50165000-memory.dmp	upx
behavioral1/memory/808-185-0x00007FFF4F5F0000-0x00007FFF4FDEB000-memory.dmp	upx
behavioral1/files/0x001900000002abc4-141.dat	upx
behavioral1/memory/808-140-0x00007FFF66850000-0x00007FFF6687E000-memory.dmp	upx
behavioral1/files/0x001900000002ab91-139.dat	upx
behavioral1/memory/808-136-0x00007FFF66880000-0x00007FFF6689F000-memory.dmp	upx
behavioral1/files/0x001900000002ab90-135.dat	upx
behavioral1/memory/808-134-0x00007FFF668A0000-0x00007FFF668CD000-memory.dmp	upx
behavioral1/memory/808-132-0x00007FFF668D0000-0x00007FFF668E9000-memory.dmp	upx
behavioral1/files/0x001900000002ab86-131.dat	upx
behavioral1/memory/808-128-0x00007FFF68C00000-0x00007FFF68C19000-memory.dmp	upx
behavioral1/files/0x001900000002ab8f-127.dat	upx
behavioral1/memory/808-187-0x00007FFF62D70000-0x00007FFF62DA7000-memory.dmp	upx
behavioral1/memory/808-186-0x00007FFF62EF0000-0x00007FFF62FA8000-memory.dmp	upx
behavioral1/files/0x001900000002ab93-125.dat	upx
behavioral1/files/0x001900000002ab8e-121.dat	upx
behavioral1/files/0x001900000002ab8c-119.dat	upx
behavioral1/files/0x001900000002ab89-116.dat	upx
behavioral1/files/0x001900000002ab87-115.dat	upx
behavioral1/files/0x001900000002abcd-109.dat	upx
behavioral1/memory/808-205-0x00007FFF636D0000-0x00007FFF636EB000-memory.dmp	upx

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4844	sc.exe
1404	sc.exe
3904	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001c00000002ab80-35.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 27 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 6 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4116	cmd.exe
3052	netsh.exe
4904	cmd.exe
3760	netsh.exe
4680	cmd.exe
1872	netsh.exe

System Network Connections Discovery 1 TTPs 3 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4720	NETSTAT.EXE
916	NETSTAT.EXE
4340	NETSTAT.EXE

Collects information from the system 1 TTPs 3 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
1116	WMIC.exe
2352	WMIC.exe
3924	WMIC.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4084	WMIC.exe
5564	WMIC.exe
5580	WMIC.exe

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4700	ipconfig.exe
4720	NETSTAT.EXE
4252	ipconfig.exe
916	NETSTAT.EXE
6036	ipconfig.exe
4340	NETSTAT.EXE

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4556	systeminfo.exe
3276	systeminfo.exe
2372	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5572	powershell.exe
5572	powershell.exe
1672	powershell.exe
1672	powershell.exe
5488	powershell.exe
5488	powershell.exe
2860	powershell.exe
2860	powershell.exe
4104	powershell.exe
4104	powershell.exe
5292	powershell.exe
5292	powershell.exe
4912	powershell.exe
4912	powershell.exe
1500	powershell.exe
1500	powershell.exe
6068	powershell.exe
6068	powershell.exe
5652	powershell.exe
5652	powershell.exe
4240	powershell.exe
4240	powershell.exe
3340	powershell.exe
3340	powershell.exe
1464	powershell.exe
1464	powershell.exe
5248	powershell.exe
5248	powershell.exe
5956	powershell.exe
5956	powershell.exe
4736	powershell.exe
4736	powershell.exe
1304	powershell.exe
1304	powershell.exe
3704	powershell.exe
3704	powershell.exe
2460	powershell.exe
2460	powershell.exe
3432	powershell.exe
3432	powershell.exe
5520	powershell.exe
5520	powershell.exe
5360	powershell.exe
5360	powershell.exe
6008	powershell.exe
6008	powershell.exe
1348	powershell.exe
1348	powershell.exe
240	powershell.exe
240	powershell.exe
5548	powershell.exe
5548	powershell.exe
1924	powershell.exe
1924	powershell.exe
1752	powershell.exe
1752	powershell.exe
4824	powershell.exe
4824	powershell.exe
6040	powershell.exe
6040	powershell.exe
4212	powershell.exe
4212	powershell.exe
3716	powershell.exe
3716	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5572	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeIncreaseQuotaPrivilege	5580	WMIC.exe
Token: SeSecurityPrivilege	5580	WMIC.exe
Token: SeTakeOwnershipPrivilege	5580	WMIC.exe
Token: SeLoadDriverPrivilege	5580	WMIC.exe
Token: SeSystemProfilePrivilege	5580	WMIC.exe
Token: SeSystemtimePrivilege	5580	WMIC.exe
Token: SeProfSingleProcessPrivilege	5580	WMIC.exe
Token: SeIncBasePriorityPrivilege	5580	WMIC.exe
Token: SeCreatePagefilePrivilege	5580	WMIC.exe
Token: SeBackupPrivilege	5580	WMIC.exe
Token: SeRestorePrivilege	5580	WMIC.exe
Token: SeShutdownPrivilege	5580	WMIC.exe
Token: SeDebugPrivilege	5580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5580	WMIC.exe
Token: SeRemoteShutdownPrivilege	5580	WMIC.exe
Token: SeUndockPrivilege	5580	WMIC.exe
Token: SeManageVolumePrivilege	5580	WMIC.exe
Token: 33	5580	WMIC.exe
Token: 34	5580	WMIC.exe
Token: 35	5580	WMIC.exe
Token: 36	5580	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2104	WMIC.exe
Token: SeSecurityPrivilege	2104	WMIC.exe
Token: SeTakeOwnershipPrivilege	2104	WMIC.exe
Token: SeLoadDriverPrivilege	2104	WMIC.exe
Token: SeSystemProfilePrivilege	2104	WMIC.exe
Token: SeSystemtimePrivilege	2104	WMIC.exe
Token: SeProfSingleProcessPrivilege	2104	WMIC.exe
Token: SeIncBasePriorityPrivilege	2104	WMIC.exe
Token: SeCreatePagefilePrivilege	2104	WMIC.exe
Token: SeBackupPrivilege	2104	WMIC.exe
Token: SeRestorePrivilege	2104	WMIC.exe
Token: SeShutdownPrivilege	2104	WMIC.exe
Token: SeDebugPrivilege	2104	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2104	WMIC.exe
Token: SeRemoteShutdownPrivilege	2104	WMIC.exe
Token: SeUndockPrivilege	2104	WMIC.exe
Token: SeManageVolumePrivilege	2104	WMIC.exe
Token: 33	2104	WMIC.exe
Token: 34	2104	WMIC.exe
Token: 35	2104	WMIC.exe
Token: 36	2104	WMIC.exe
Token: SeDebugPrivilege	3808	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5580	WMIC.exe
Token: SeSecurityPrivilege	5580	WMIC.exe
Token: SeTakeOwnershipPrivilege	5580	WMIC.exe
Token: SeLoadDriverPrivilege	5580	WMIC.exe
Token: SeSystemProfilePrivilege	5580	WMIC.exe
Token: SeSystemtimePrivilege	5580	WMIC.exe
Token: SeProfSingleProcessPrivilege	5580	WMIC.exe
Token: SeIncBasePriorityPrivilege	5580	WMIC.exe
Token: SeCreatePagefilePrivilege	5580	WMIC.exe
Token: SeBackupPrivilege	5580	WMIC.exe
Token: SeRestorePrivilege	5580	WMIC.exe
Token: SeShutdownPrivilege	5580	WMIC.exe
Token: SeDebugPrivilege	5580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5580	WMIC.exe
Token: SeRemoteShutdownPrivilege	5580	WMIC.exe
Token: SeUndockPrivilege	5580	WMIC.exe
Token: SeManageVolumePrivilege	5580	WMIC.exe
Token: 33	5580	WMIC.exe
Token: 34	5580	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5292 wrote to memory of 5572	5292	Solara.exe	78
PID 5292 wrote to memory of 5572	5292	Solara.exe	78
PID 5292 wrote to memory of 2752	5292	Solara.exe	80
PID 5292 wrote to memory of 2752	5292	Solara.exe	80
PID 5292 wrote to memory of 1672	5292	Solara.exe	81
PID 5292 wrote to memory of 1672	5292	Solara.exe	81
PID 5292 wrote to memory of 4672	5292	Solara.exe	83
PID 5292 wrote to memory of 4672	5292	Solara.exe	83
PID 4672 wrote to memory of 808	4672	Exela.exe	84
PID 4672 wrote to memory of 808	4672	Exela.exe	84
PID 808 wrote to memory of 1656	808	Exela.exe	85
PID 808 wrote to memory of 1656	808	Exela.exe	85
PID 808 wrote to memory of 236	808	Exela.exe	87
PID 808 wrote to memory of 236	808	Exela.exe	87
PID 808 wrote to memory of 2260	808	Exela.exe	88
PID 808 wrote to memory of 2260	808	Exela.exe	88
PID 808 wrote to memory of 2072	808	Exela.exe	89
PID 808 wrote to memory of 2072	808	Exela.exe	89
PID 808 wrote to memory of 2964	808	Exela.exe	90
PID 808 wrote to memory of 2964	808	Exela.exe	90
PID 236 wrote to memory of 5580	236	cmd.exe	95
PID 236 wrote to memory of 5580	236	cmd.exe	95
PID 2964 wrote to memory of 3808	2964	cmd.exe	96
PID 2964 wrote to memory of 3808	2964	cmd.exe	96
PID 2260 wrote to memory of 2104	2260	cmd.exe	97
PID 2260 wrote to memory of 2104	2260	cmd.exe	97
PID 2752 wrote to memory of 5488	2752	Solara.exe	98
PID 2752 wrote to memory of 5488	2752	Solara.exe	98
PID 808 wrote to memory of 1712	808	Exela.exe	101
PID 808 wrote to memory of 1712	808	Exela.exe	101
PID 1712 wrote to memory of 572	1712	cmd.exe	103
PID 1712 wrote to memory of 572	1712	cmd.exe	103
PID 808 wrote to memory of 3824	808	Exela.exe	104
PID 808 wrote to memory of 3824	808	Exela.exe	104
PID 808 wrote to memory of 5000	808	Exela.exe	105
PID 808 wrote to memory of 5000	808	Exela.exe	105
PID 3824 wrote to memory of 4080	3824	cmd.exe	108
PID 3824 wrote to memory of 4080	3824	cmd.exe	108
PID 5000 wrote to memory of 1580	5000	cmd.exe	109
PID 5000 wrote to memory of 1580	5000	cmd.exe	109
PID 2752 wrote to memory of 4868	2752	Solara.exe	110
PID 2752 wrote to memory of 4868	2752	Solara.exe	110
PID 2752 wrote to memory of 2860	2752	Solara.exe	111
PID 2752 wrote to memory of 2860	2752	Solara.exe	111
PID 808 wrote to memory of 2764	808	Exela.exe	113
PID 808 wrote to memory of 2764	808	Exela.exe	113
PID 2764 wrote to memory of 4732	2764	cmd.exe	115
PID 2764 wrote to memory of 4732	2764	cmd.exe	115
PID 808 wrote to memory of 4864	808	Exela.exe	116
PID 808 wrote to memory of 4864	808	Exela.exe	116
PID 4864 wrote to memory of 5420	4864	cmd.exe	118
PID 4864 wrote to memory of 5420	4864	cmd.exe	118
PID 2752 wrote to memory of 5604	2752	Solara.exe	119
PID 2752 wrote to memory of 5604	2752	Solara.exe	119
PID 5604 wrote to memory of 5276	5604	Exela.exe	120
PID 5604 wrote to memory of 5276	5604	Exela.exe	120
PID 808 wrote to memory of 4832	808	Exela.exe	121
PID 808 wrote to memory of 4832	808	Exela.exe	121
PID 808 wrote to memory of 1752	808	Exela.exe	122
PID 808 wrote to memory of 1752	808	Exela.exe	122
PID 808 wrote to memory of 4212	808	Exela.exe	123
PID 808 wrote to memory of 4212	808	Exela.exe	123
PID 808 wrote to memory of 3128	808	Exela.exe	124
PID 808 wrote to memory of 3128	808	Exela.exe	124

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4732	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5572
- C:\Users\Admin\AppData\Local\Temp\Solara.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5488
- - C:\Users\Admin\AppData\Local\Temp\Solara.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
    3⤵
    - Adds Run key to start application
    PID:4868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5292
  - - C:\Users\Admin\AppData\Local\Temp\Solara.exe
      "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
      4⤵
      Adds Run key to start application
      PID:1532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1500
    - - C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        5⤵
        
        PID:5108
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5652
      - C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        6⤵
        Adds Run key to start application
        
        PID:5680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        7⤵
        Adds Run key to start application
        
        PID:4636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5248
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        8⤵
        Adds Run key to start application
        
        PID:4048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        9⤵
        Adds Run key to start application
        
        PID:2176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        10⤵
        Adds Run key to start application
        
        PID:2972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        11⤵
        Adds Run key to start application
        
        PID:5764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        12⤵
        
        PID:4772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        13⤵
        Adds Run key to start application
        
        PID:780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        14⤵
        Adds Run key to start application
        
        PID:1356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        15⤵
        Adds Run key to start application
        
        PID:1624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        16⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        16⤵
        Adds Run key to start application
        
        PID:4648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        17⤵
        Adds Run key to start application
        
        PID:2352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        18⤵
        Adds Run key to start application
        
        PID:3656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        19⤵
        
        PID:4476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        20⤵
        Adds Run key to start application
        
        PID:1124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        21⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        21⤵
        Adds Run key to start application
        
        PID:5536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        22⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        22⤵
        Adds Run key to start application
        
        PID:5196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        23⤵
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        23⤵
        Adds Run key to start application
        
        PID:2460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        24⤵
        Adds Run key to start application
        
        PID:3488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        25⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        25⤵
        Adds Run key to start application
        
        PID:5232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        26⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        26⤵
        
        PID:3744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        27⤵
        
        PID:4360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        28⤵
        Adds Run key to start application
        
        PID:5376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        29⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        29⤵
        Adds Run key to start application
        
        PID:3728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        30⤵
        Adds Run key to start application
        
        PID:2284
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        31⤵
        Adds Run key to start application
        
        PID:5028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        32⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        32⤵
        Adds Run key to start application
        
        PID:4616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        33⤵
        Adds Run key to start application
        
        PID:4548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:128
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        34⤵
        Adds Run key to start application
        
        PID:2540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        35⤵
        
        PID:244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        36⤵
        Adds Run key to start application
        
        PID:3672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5672
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        37⤵
        Adds Run key to start application
        
        PID:4844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        38⤵
        Adds Run key to start application
        
        PID:4056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5248
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        39⤵
        Adds Run key to start application
        
        PID:2548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        40⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        40⤵
        Adds Run key to start application
        
        PID:2608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        41⤵
        Adds Run key to start application
        
        PID:3704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        42⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        42⤵
        Adds Run key to start application
        
        PID:5632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        43⤵
        
        PID:4540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        44⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        44⤵
        Adds Run key to start application
        
        PID:664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        45⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        45⤵
        Adds Run key to start application
        
        PID:5112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        46⤵
        
        PID:2096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        47⤵
        
        PID:5436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        48⤵
        Adds Run key to start application
        
        PID:4556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        49⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        49⤵
        
        PID:5840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        50⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        50⤵
        Adds Run key to start application
        
        PID:952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        51⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        51⤵
        Adds Run key to start application
        
        PID:4460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        52⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        52⤵
        Adds Run key to start application
        
        PID:5088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        53⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        53⤵
        Adds Run key to start application
        
        PID:1512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        54⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        54⤵
        
        PID:5708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        55⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        55⤵
        
        PID:5972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        55⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        55⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        56⤵
        
        PID:2752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        54⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        55⤵
        
        PID:4456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        56⤵
        
        PID:4648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        53⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        53⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        54⤵
        
        PID:2468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        55⤵
        
        PID:640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        52⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        53⤵
        
        PID:2532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        54⤵
        
        PID:724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        51⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        52⤵
        
        PID:1660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        53⤵
        
        PID:5520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        53⤵
        
        PID:1748
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        54⤵
        Detects videocard installed
        
        PID:5564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        53⤵
        
        PID:4340
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        54⤵
        
        PID:4104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        53⤵
        
        PID:3240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        53⤵
        
        PID:3048
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        54⤵
        Enumerates processes with tasklist
        
        PID:3924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        53⤵
        
        PID:948
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        54⤵
        
        PID:5832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        53⤵
        
        PID:2032
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        54⤵
        
        PID:3204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        53⤵
        
        PID:3580
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        54⤵
        Enumerates processes with tasklist
        
        PID:2320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        53⤵
        
        PID:2224
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        54⤵
        Enumerates processes with tasklist
        
        PID:5276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        53⤵
        
        PID:1860
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        54⤵
        
        PID:1752
        
        C:\Windows\system32\chcp.com
        
        chcp
        55⤵
        
        PID:2356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        53⤵
        
        PID:4360
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        54⤵
        
        PID:1988
        
        C:\Windows\system32\chcp.com
        
        chcp
        55⤵
        
        PID:5320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        53⤵
        
        PID:5380
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        54⤵
        Enumerates processes with tasklist
        
        PID:416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        53⤵
        Clipboard Data
        
        PID:3088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        54⤵
        Clipboard Data
        
        PID:5340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        53⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4680
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        54⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        53⤵
        Network Service Discovery
        
        PID:2704
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        54⤵
        Gathers system information
        
        PID:2372
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        54⤵
        
        PID:5432
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        54⤵
        Collects information from the system
        
        PID:1116
        
        C:\Windows\system32\net.exe
        
        net user
        54⤵
        
        PID:1956
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        55⤵
        
        PID:200
        
        C:\Windows\system32\query.exe
        
        query user
        54⤵
        
        PID:4744
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        55⤵
        
        PID:5636
        
        C:\Windows\system32\net.exe
        
        net localgroup
        54⤵
        
        PID:1216
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        55⤵
        
        PID:4336
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        54⤵
        
        PID:3168
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        55⤵
        
        PID:3368
        
        C:\Windows\system32\net.exe
        
        net user guest
        54⤵
        
        PID:240
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        55⤵
        
        PID:3784
        
        C:\Windows\system32\net.exe
        
        net user administrator
        54⤵
        
        PID:5372
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        55⤵
        
        PID:3364
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        54⤵
        
        PID:5248
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        54⤵
        Enumerates processes with tasklist
        
        PID:4968
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        54⤵
        Gathers network information
        
        PID:6036
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        54⤵
        
        PID:460
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        54⤵
        Network Service Discovery
        
        PID:3036
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        54⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4340
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        54⤵
        Launches sc.exe
        
        PID:1404
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        54⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4920
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        54⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        53⤵
        
        PID:1252
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        54⤵
        
        PID:2376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        53⤵
        
        PID:1656
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        54⤵
        
        PID:4140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        50⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        51⤵
        
        PID:3324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        52⤵
        
        PID:2396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        49⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        50⤵
        
        PID:2288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        51⤵
        
        PID:1096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        48⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        49⤵
        
        PID:764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        50⤵
        
        PID:4720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        47⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        48⤵
        
        PID:5528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        49⤵
        
        PID:5208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        46⤵
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        47⤵
        
        PID:1652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        48⤵
        
        PID:4832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        45⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        46⤵
        
        PID:3760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        47⤵
        
        PID:5108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        44⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        45⤵
        
        PID:1164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        46⤵
        
        PID:4456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        43⤵
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        43⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        44⤵
        
        PID:1560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        45⤵
        
        PID:1288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        42⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        43⤵
        
        PID:4972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        44⤵
        
        PID:3952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        41⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        42⤵
        
        PID:5396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        43⤵
        
        PID:5112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        40⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        40⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        41⤵
        
        PID:5164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        42⤵
        
        PID:664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        39⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        40⤵
        
        PID:3248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        41⤵
        
        PID:4540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        38⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        38⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        39⤵
        
        PID:5448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        40⤵
        
        PID:2320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        37⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        37⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        38⤵
        
        PID:5540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        39⤵
        
        PID:5176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        36⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        36⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        37⤵
        
        PID:2980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        38⤵
        
        PID:6096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        35⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        36⤵
        
        PID:3616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        37⤵
        
        PID:1660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        34⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        35⤵
        
        PID:2440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        36⤵
        
        PID:6052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        33⤵
        Executes dropped EXE
        
        PID:5528
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        34⤵
        Executes dropped EXE
        
        PID:4084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        35⤵
        
        PID:4252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        32⤵
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        32⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        33⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        34⤵
        
        PID:5320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        31⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        32⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        33⤵
        
        PID:2248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        30⤵
        Executes dropped EXE
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        31⤵
        Executes dropped EXE
        
        PID:236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        32⤵
        
        PID:4460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        29⤵
        Executes dropped EXE
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        30⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        31⤵
        
        PID:6100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        28⤵
        Executes dropped EXE
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        29⤵
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        30⤵
        
        PID:1288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        30⤵
        
        PID:3656
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        31⤵
        Detects videocard installed
        
        PID:4084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        30⤵
        
        PID:5600
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        31⤵
        
        PID:2208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        30⤵
        
        PID:688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        30⤵
        
        PID:1636
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        31⤵
        Enumerates processes with tasklist
        
        PID:2196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        30⤵
        
        PID:2396
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        31⤵
        
        PID:1996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        30⤵
        
        PID:2600
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        31⤵
        
        PID:2908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        30⤵
        
        PID:2984
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        31⤵
        Enumerates processes with tasklist
        
        PID:3704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        30⤵
        
        PID:2552
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        31⤵
        Enumerates processes with tasklist
        
        PID:3120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        30⤵
        
        PID:1696
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        31⤵
        
        PID:1920
        
        C:\Windows\system32\chcp.com
        
        chcp
        32⤵
        
        PID:900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        30⤵
        
        PID:2368
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        31⤵
        
        PID:5396
        
        C:\Windows\system32\chcp.com
        
        chcp
        32⤵
        
        PID:1184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        30⤵
        
        PID:3560
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        31⤵
        Enumerates processes with tasklist
        
        PID:1216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        30⤵
        Clipboard Data
        
        PID:5612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        31⤵
        Clipboard Data
        
        PID:6040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        30⤵
        Network Service Discovery
        
        PID:5996
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        31⤵
        Gathers system information
        
        PID:3276
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        31⤵
        
        PID:432
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        31⤵
        Collects information from the system
        
        PID:3924
        
        C:\Windows\system32\net.exe
        
        net user
        31⤵
        
        PID:5260
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        32⤵
        
        PID:4004
        
        C:\Windows\system32\query.exe
        
        query user
        31⤵
        
        PID:3116
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        32⤵
        
        PID:3672
        
        C:\Windows\system32\net.exe
        
        net localgroup
        31⤵
        
        PID:3036
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        32⤵
        
        PID:6008
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        31⤵
        
        PID:3304
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        32⤵
        
        PID:1980
        
        C:\Windows\system32\net.exe
        
        net user guest
        31⤵
        
        PID:552
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        32⤵
        
        PID:5572
        
        C:\Windows\system32\net.exe
        
        net user administrator
        31⤵
        
        PID:4620
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        32⤵
        
        PID:1284
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        31⤵
        
        PID:3984
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        31⤵
        Enumerates processes with tasklist
        
        PID:1268
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        31⤵
        Gathers network information
        
        PID:4252
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        31⤵
        
        PID:748
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        31⤵
        Network Service Discovery
        
        PID:1348
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        31⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:916
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        31⤵
        Launches sc.exe
        
        PID:4844
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        31⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4212
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        31⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        30⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4904
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        31⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        30⤵
        
        PID:5540
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        31⤵
        
        PID:2984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        30⤵
        
        PID:956
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        31⤵
        
        PID:6084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        27⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        27⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        28⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        29⤵
        
        PID:3596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        26⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        26⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        27⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        28⤵
        
        PID:1300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        25⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        25⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        26⤵
        Executes dropped EXE
        
        PID:5972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        27⤵
        
        PID:4212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        24⤵
        Executes dropped EXE
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        25⤵
        Executes dropped EXE
        
        PID:5968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        26⤵
        
        PID:3468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        23⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        24⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        25⤵
        
        PID:3736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        22⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        23⤵
        Executes dropped EXE
        
        PID:3808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        24⤵
        
        PID:4996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        21⤵
        Executes dropped EXE
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        22⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        23⤵
        
        PID:1532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        20⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        21⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        22⤵
        
        PID:4944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        19⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        19⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        20⤵
        Executes dropped EXE
        
        PID:5992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        21⤵
        
        PID:1504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        18⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        19⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        20⤵
        
        PID:2912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        17⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        18⤵
        Executes dropped EXE
        
        PID:5380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        19⤵
        
        PID:2752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        16⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        17⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        18⤵
        
        PID:2800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        15⤵
        Executes dropped EXE
        
        PID:248
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        16⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        17⤵
        
        PID:6008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        14⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        15⤵
        Executes dropped EXE
        
        PID:6076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:5768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        13⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        14⤵
        Executes dropped EXE
        
        PID:3804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        15⤵
        
        PID:3168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6008
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        12⤵
        Executes dropped EXE
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        13⤵
        Executes dropped EXE
        
        PID:5180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        11⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        12⤵
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        13⤵
        
        PID:3496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        10⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        11⤵
        Executes dropped EXE
        
        PID:6052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:4872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        9⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        10⤵
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        11⤵
        
        PID:1620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        8⤵
        Executes dropped EXE
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        9⤵
        Executes dropped EXE
        
        PID:5444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:2344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        7⤵
        Executes dropped EXE
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        8⤵
        Executes dropped EXE
        
        PID:5372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:5716
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4240
      - C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        6⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        7⤵
        Executes dropped EXE
        
        PID:5592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:5144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6068
    - - C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        5⤵
        Executes dropped EXE
        
        PID:2872
      - C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        6⤵
        Executes dropped EXE
        
        PID:2468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:5544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\Exela.exe
      "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
      4⤵
      Executes dropped EXE
      PID:720
    - - C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3348
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:3968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2860
- - C:\Users\Admin\AppData\Local\Temp\Exela.exe
    "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5604
  - - C:\Users\Admin\AppData\Local\Temp\Exela.exe
      "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5276
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Users\Admin\AppData\Local\Temp\Exela.exe
  "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Users\Admin\AppData\Local\Temp\Exela.exe
    "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:236
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:5580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "gdb --version"
      4⤵
      PID:2072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        5⤵
        
        PID:572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3824
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Views/modifies file attributes
        
        PID:4732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4864
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:5420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:4832
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:968
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:5704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:1752
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:3356
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:2272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4212
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      PID:3128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:4104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4116
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      PID:5256
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:4556
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:2360
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        
        PID:2352
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:2224
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:1464
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:4872
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:1172
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:4336
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:3552
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:4956
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:484
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:6084
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:5204
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:2752
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:5316
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:3292
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:5688
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:4700
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:1560
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:5728
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4720
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:3904
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1908
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:1696
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:2176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:4884
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
051a74485331f9d9f5014e58ec71566c

SHA1
4ed0256a84f2e95609a0b4d5c249bca624db8fe4

SHA256
3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

SHA512
1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
80b42fe4c6cf64624e6c31e5d7f2d3b3

SHA1
1f93e7dd83b86cb900810b7e3e43797868bf7d93

SHA256
ee20a5b38a6674366efda276dbbf0b43eb54efd282acfc1033042f6b53a80d4d

SHA512
83c1c744c15a8b427a1d3af677ec3bfd0353875a60fe886c41570981e17467ebbb59619b960ca8c5c3ab1430946b0633ea200b7e7d84ab6dca88b60c50055573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cef328ddb1ee8916e7a658919323edd8

SHA1
a676234d426917535e174f85eabe4ef8b88256a5

SHA256
a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

SHA512
747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8cb7f4b4ab204cacd1af6b29c2a2042c

SHA1
244540c38e33eac05826d54282a0bfa60340d6a1

SHA256
4994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6

SHA512
7651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6f0e62045515b66d0a0105abc22dbf19

SHA1
894d685122f3f3c9a3457df2f0b12b0e851b394c

SHA256
529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319

SHA512
f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies.db

Filesize
20KB

MD5
37338f6bccdbcabcc5e87f2762959cf5

SHA1
594913d2f93a57931e3e3c89dc6ab4a926f5ee09

SHA256
4468efee0cc1f1eb6e27d93e99bb2504cd9b0805f9c964205920061894f917c2

SHA512
46cc518847711f809a2cb907f43e1dc08f43561ab2dd4ddc2447775fd0c932cc8fa094729a3b1da7ecea03e1796541d9224067e9e029afa77e64b23c75b80925

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exela.exe

Filesize
9.5MB

MD5
0615d49be12c174704a3daad945f7b56

SHA1
90d67801dcff362ce2c2accafd5010c7f79567d6

SHA256
573a7f2fa701a7630318119d9e6d916cb8a0acd87a0a2797b7197e9ae85c0071

SHA512
40d702b8fd2993aeeb09755e760d3611d76f927ae6831ab7066386d3a133257e06330ddff2d28406b77c1d9e502e79a7a72b8984ce0d795948da07dd03b9bea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ApproveSearch.docx

Filesize
19KB

MD5
a6ccb480cd73f7212a55c17534309a02

SHA1
12623da660f9bc9a82b0e9f9b9c41080e5626ab8

SHA256
68d3859d070abe1d17d420d357c925d87c62a7a0c2e89ba00062a111d9767d65

SHA512
a39a018498ef052a1b39d43d7709d9ea6e0b5a2611229d22a5a7bbc9080e349dddb1282faa3a727e3ec5b81e02caa6526ee86c6595aa49aade5798e824b2c167

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\DisableBackup.fon

Filesize
646KB

MD5
838d8f6720bf676d55e974501a81b57f

SHA1
c52be87a25582d41f218c53a7c2872b534aa7761

SHA256
1563a2efee72cb667b0a0bdf3df08dab7515bbdde37ed5c180949f5a3092dd9c

SHA512
4c02eb3a2408bedd19a97f22301311b32a63c3f90bd45698c83fed7be9afa0ed94c3256eb510dda424a53ee87d561a492826a92096eef02b4f5bcb4ac81d935d

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ExpandRedo.xlsx

Filesize
13KB

MD5
ab90d7f3bbe665ac6d934100b1585dc9

SHA1
bfc3c8d612ac6594ec2b83a1179b8d4544e89614

SHA256
c06da2b43148c12c8247c56c89540a20a6d87c7bed304c03fc993ef605d89bdf

SHA512
c4709089e52b392360d1504b6400d2a16a48c9766048ec4780677121e3f58b34d4c1973886c2beb7d3d8d25fb495b788c652ada723d81ea3c0a45b7759a72fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\RedoEnable.pdf

Filesize
274KB

MD5
08044b4865a5664632a85b41a9e8674c

SHA1
0eac838cfd4a48408c31ee56d5beb17ce8b6aa68

SHA256
8f1ebf7514211774e3fe41029484beaefacdd729ee6f44660c2af4901d58fa77

SHA512
701be5046dd805f91f1c19f1b500c067bdab00ab1a5ab25ec0946cd0c6dad648d6953dcdc729c78fa1ff225af73cbe3d8755b41b785816e374c0d566275e4e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UnregisterSend.docx

Filesize
13KB

MD5
ce2fe8ea072530fb6e9cc38a7ae3a82c

SHA1
2a18800dcb9eb746297841863e689fbeeff9b9bb

SHA256
bb3d670f5b24bd65b356aaad8d563fd295184c183643f41b0c61b05710acad31

SHA512
29579e5882e559016d7ff19f91110952417dd95468f2ea1ac968a647d4065337b8016f1d36bf9e82d59163e774264447f3a6e6e13f92af6b54b1988a832cb073

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ConfirmInvoke.xlsx

Filesize
10KB

MD5
ad811b9645d47b57d86ca257e83f2276

SHA1
8bbdce85cf00f069c05b6e66eaac45decc1214d2

SHA256
23b2d3b165350c7f60ac8ebc1d2daa82884d0c315776792b4f1c5f69444d35f3

SHA512
fb377adc8428feb8f950feb2b2358fccabb04a2cdefdfcc246e67b09599c55973e1754b5f86ed0cd7cf097db99e42a270f55a82e799540fbdddc01636a3bdefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\DenyInstall.csv

Filesize
1.0MB

MD5
15acaf305ee0964b6019c79e088d4cee

SHA1
5f08bb04fdaafdf27b2038461753e655a4a4bc9e

SHA256
3a153923ea9750eb70f9d7c3685e207a5d08582f859ff9b32175c4220bdd6cd3

SHA512
e39abc3958d8fffac199925bf2803b82f37b98df5efda42e18bf0b60bbcd9a644a7d3978f512b7e051d0f3384fe0e5665cf846a701eb7022440905c31da36578

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\DismountRestore.docx

Filesize
16KB

MD5
408a99360790de83b5611675f45cd57c

SHA1
c3f2ee4bdc638c7394dc9b4417b778a2507bfef5

SHA256
72e8ba50bd946468d0f3934f1e354de51c9e615270f21262c2474f738d921989

SHA512
263eb5ead7f91e4986d92a36d659e00848328287feb9dba3778fdcbd813e6d326a106b2d602485e42757a0370b148edb6d3d1b5f7155f54d7e7f3c8208dc6e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\DismountSwitch.xlsx

Filesize
632KB

MD5
fde287892f3f72607a97ef0a5c54a180

SHA1
618f0f8e912abd2a80065e67676d5cb74b4b2885

SHA256
69df76b40d0ce3316b2ec0328f7e4907915fbb191b642c5e80bff6f117cc42e4

SHA512
bf039278c3137c2ff045316e599a114953fe25246339533ef14ede2c31e91320b439530f309edd6c83ce29a50fe1484796679b036e9a75693a867b7f470051dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\FormatStop.csv

Filesize
1021KB

MD5
ae1e4055c26711b9d6bdde4bf893e39d

SHA1
908f857c881db5818a283087d2c7ce556a125162

SHA256
a1717a23689c02999b9b65cf70bf267336289ff33e186186f81ab58b2debf618

SHA512
215c3327307a4fb23a245204891c47f0a19f3fa90f08f88af539be4e72c5437911fa1ed6c8108ef25fba0d8663406675a06df1a7288676a6481d751823174343

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\MergeRevoke.doc

Filesize
535KB

MD5
f8fa5d90e29bb81be862649fae4582df

SHA1
627beb7e6c2ee0c7d8a5d9d12e4c8c909f01d256

SHA256
b12887db194ce67dc51e286f7b514d188b7f5c1d42b68a4fbde2699452c26d25

SHA512
bcc2a55b3e6103c253eeeae003d38c7267a594b86cce59c3ae4d05fa6b3454edb647ef4e24b7b20d4a111c9e1d4dc95e1405ff4161a85e3a94fd00ae698f01d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\PushInstall.csv

Filesize
924KB

MD5
b8c3d52ad5cc184513754d2221d86f32

SHA1
658e928262ca895cd350b5d0974a6c0c9226851d

SHA256
47452be1d7c30081f241870f63be199730cacb0110c877e6b4e13fc73bfef54a

SHA512
83329c7588629ac237dae18a2348226455bdb06c24d3c3906d2e67bd59255b01962ff761a6bf2c69b81d91c17ee0252be3fc1b1db0defe6568f04f757c276591

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ResumeUnblock.docx

Filesize
20KB

MD5
2c1c1463214296f2e04f4776e1561318

SHA1
a8da953b3346eca7468aae29b477724ecd0b0ba7

SHA256
bb4b4fe726903ef135d18358a8baab230cb565ffd6af8b5a4ad8337400c6a3fd

SHA512
b6484addc949117f08bc8367b1308512dd7e84f5871b0d64c31f79923e8aa7324fd0dbefe7feb94d63426b42d29ef79942de02c1bccf6734e945939bd4d6e105

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\SetResume.xlsx

Filesize
583KB

MD5
57a94cce9e5402ed43a117ed6cee32d0

SHA1
30ca4f70b08ec8f246a905c6af0f4cf8733ce30c

SHA256
dfcc7a9363d5adfe6d7eb2c3de35a66442810252774705bf4124e33429cde182

SHA512
16f0a4e9cd7f2677ad6fdf9f1fa0f100df72171a6531664c872b553a830121addc0d03980788aefd4ecb741de6786b9f75ebda8e7be44feeb09e2b5ebfd6d00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\TraceSend.xlsx

Filesize
9KB

MD5
78da3404e0173ae1a49aaededcec8cba

SHA1
9d652ed9765d372ce6b3d77b261ee85a4cc80e5a

SHA256
234b703a95625bbae4704c98494df8f110e00a1011dc0d642b0aee836e22a7a5

SHA512
c3502d01cb9d70fb89e9272e333ad75da4e3952a45c698031c33c1ff7762f295721b6278635fe328719f430ea4bd8b31abb7c799698ccc416d43a2245a4ea227

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\UpdateCheckpoint.xlsx

Filesize
10KB

MD5
5effdf341e00fa1db2fb851a86da11fb

SHA1
aaced031651d2d6b499dfdfc36af80d8537d080e

SHA256
fc6a02a51006d722d926ba24741150c52dc39fe9f4125a4fac0b647cf1854109

SHA512
bad498490d6a9a8a8950a85f8197d255d22d14455d2342919773d6dc7cc00d24374112ef8258375ceae63cdadc9c55b88f68c236de2066275c4c3e068d648ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\CompressInvoke.png

Filesize
464KB

MD5
4e04614769f2d26a5dde788073c001de

SHA1
df66ddabcf7e4ff02f69d17b04f13050305b8234

SHA256
a79821a919e5dbeb41922c2871643e7e8a9146f9c4864f68a797a25e34a4b1a7

SHA512
eaaec11bb86179583d9107633808a0a64556435c9e6b2994b380c6fdc5fb450ae6aff5c9b81550325513dfe846b13f6c09ffc14b8df2d131ff5b7cae72ef1048

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\DebugUninstall.jpg

Filesize
696KB

MD5
dd66bf567840a8329b06dfa1d4481b6f

SHA1
feb801884a23fb369e92c8d64af222678079c8cf

SHA256
50f4fcc7ce57fa15fcb126233f9b52c90f9bf039d1cf81e9228023687c5b2f7c

SHA512
c0eb5076bf1c3a8d7789b47290d68be2957c0100e7a05c6489aa1a296a40a7a4420b6142e3bcae0be9a89c08495dd4fe8ece56e82cd844a9efc323b29fbb6f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\GetJoin.zip

Filesize
365KB

MD5
bb39b11775e9bacf1e9cb1aea5649d52

SHA1
06271af0ce3319253a15b57aca1b83d9c7b89a3c

SHA256
5995902e0a440d5c023d6bb43f64fe5b70fb30a802126f0bee804d6516d14b15

SHA512
57e706966bc53bcfea4ff299d903ea3c5efb0468b2073992bbf0795d94e83375efaf5216135a1f6ccb662284df7fd4318c7ae2d51e6754b70ed746c9126393d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ShowWrite.png

Filesize
862KB

MD5
9e5998f2d4940c154b8283b877d08190

SHA1
deec0c686610e9edc10ac3071a1cf7d6023a3a30

SHA256
a56b58b90fa5ca184dfe3483593f982792285262cb64c452933e717d238e5f97

SHA512
038e3afcd748c37a8889ceb1b17df3ce3dc3fe343300fa9b819d194257461691ea0f80305cc96af1ada840244122ffb1526c88e48154297463500bff87f21f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\SwitchStart.xlsx

Filesize
779KB

MD5
e43691fdf5167ce48dc0626434e46dfd

SHA1
d2fba60651f21b130fc9b087c33ac42d154790fa

SHA256
8e1959f56bcfe2e69b9b2a3ce951482d8bb24f070e7a6df0bbab802024d62e1e

SHA512
a1e214dcfe5a04e9b9b65050be440acca3879ef34385adab77eaa91555a81c1e0c748a0ee0a73e29854ce06d75dff22162fddaa84d4376c5130c29813e4215d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\TestNew.mp3

Filesize
315KB

MD5
e015a67f15590262366bf05000c5a6ea

SHA1
ab6653edbb579ab1fe23a144b240147f6c2f9318

SHA256
98e24d76f7a3bc323e569880bbaa07cd10c87c3b50929a21e9d2e93eefa0c2d2

SHA512
7e94059de20db7920e3b5fb392dce9a95f3061186c711a3e31cad2a5c78e2091abc60df1d4977dc8464f589a6f02ced698e46230ea6f09662ceead57b4e160b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\UpdateDismount.jpg

Filesize
348KB

MD5
cc6d289358eb6ba87068d3027e4ed096

SHA1
69f8ace68f5c6a23cc6ad64f59312e686be119b2

SHA256
50c0589199760239548277f8739dc160574258d26c35a5d11512edce185d5a2d

SHA512
2f7b2dcabd6502cb111afe9e616156423d7f0cd1116aa71e57716b4433e56a4d22f78ac114ba8158907994455f59a968a67aac4f2e4a027cdf08098878c542fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\DisableSync.txt

Filesize
571KB

MD5
b60c434425fb20061cccf18cd65baf2f

SHA1
f6913a997b24c92e5b2b527e85f3675a2fc1e99a

SHA256
bb9750621e219a8117b0a98a9b8921557f618556804a0a021b43244f574e612d

SHA512
cd1c5e8733aebdc813efe6f2a89b6ef708e99f3ffc11dae59630c53903cc98a69937982cb9151c802a250b2551da59b52b5185a31078df3e4a253a525ed0552f

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\RestoreRead.zip

Filesize
229KB

MD5
c5dab0c301b871909967f6dc5d41f475

SHA1
d8b3bbed3a9ce9c05d66d65f9283d2d519900ccc

SHA256
7be4a253725aae32e58ef44ddf54a9685952aee92982fad7bbb9270f5656e779

SHA512
00a5a421ab40a62a3107b901e63e8ef4225ef265df64a088075880a98ad78386aacbdde131e7e10f869d963e3c55b4cf1af10e5ccdb8b11647dba753c631a099

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
114KB

MD5
70483b2b6c1b377935d0667ad48442f9

SHA1
8c55b53dd72bb908dcf6142efc1012d4809687cc

SHA256
bba3099cbd15dce9a683ab89cabc577fb3db834e57d44241d34058ed13be11ed

SHA512
7ea7e8c38a467eadc079be3c96439ab55403b5995f979de96afa138ad98d87abda3b5105ae751acbb123aca9a24b5066de24bb02fe564bce217532a6b5a88159

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\attrs-24.3.0.dist-info\METADATA

Filesize
11KB

MD5
0e682e7854fe836cad441326ab36d36d

SHA1
3efad7961f8f2dfb0a22a1eeabd3a92b9da0ab23

SHA256
7fd8611027805324bb89ec073d1b8c2c3cb5b6927abf2cbc47f4ca5270a6880f

SHA512
54fd3b0c98dce7c11691d08ca22c9c8a74cd838d03723dda3fbac326efc2550edb892f9d45aa3956c9c5c35b8c20fe096f6a002dee07150b437a1e7e76ac175a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\attrs-24.3.0.dist-info\RECORD

Filesize
3KB

MD5
72c9f466183f7eae813f25ed47198941

SHA1
7498fae0d90f7f64d6c954849225e82c8f1bac92

SHA256
a237de627ee31b429fed81bdff4fa5b5b22bc979a2580e1205acaedc78761143

SHA512
6ed2a1293fa6e27ca3bdaa95af38e3b2299d1d77b7e0fb2d67552cd8f3acaee5be94d4f3f562e6bc42e6f6c7fc9d302c7bd5b14a1243ef86979e077242173c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\attrs-24.3.0.dist-info\WHEEL

Filesize
87B

MD5
e2fcb0ad9ea59332c808928b4b439e7a

SHA1
07311208d4849f821e8af25a89a9985c4503fbd8

SHA256
aad0b0a12256807936d52d4a6f88a1773236ae527564a688bab4e3fe780e8724

SHA512
d4cb3ca64d69678959c4f59b4d1cb992e8e2e046a6acb92341fd30b8ce862bd81a48cbfa09ec9ae2e735ffec5c12d246d1593a859615adee10984635a9ba8af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\attrs-24.3.0.dist-info\licenses\LICENSE

Filesize
1KB

MD5
5e55731824cf9205cfabeab9a0600887

SHA1
243e9dd038d3d68c67d42c0c4ba80622c2a56246

SHA256
882115c95dfc2af1eeb6714f8ec6d5cbcabf667caff8729f42420da63f714e9f

SHA512
21b242bf6dcbafa16336d77a40e69685d7e64a43cc30e13e484c72a93cd4496a7276e18137dc601b6a8c3c193cb775db89853ecc6d6eb2956deee36826d5ebfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\cryptography-44.0.0.dist-info\METADATA

Filesize
5KB

MD5
526d9ac9d8150602ec9ed8b9f4de7102

SHA1
dba2cb32c21c4b0f575e77bbcdd4fa468056f5e3

SHA256
d95f491ed418dc302db03804daf9335ce21b2df4704587e6851ef03e1f84d895

SHA512
fb13a2f6b64cb7e380a69424d484fc9b8758fa316a7a155ff062bfdacdca8f2c5d2a03898cd099688b1c16a5a0edcecfc42bf0d4d330926b10c3fce9f5238643

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\cryptography-44.0.0.dist-info\RECORD

Filesize
15KB

MD5
f15ef7175220c9f59f90bbbaeda16dbd

SHA1
5367cac8814d7a54e1c0274ff3f651ed5c6fe5d6

SHA256
04db3839c853d4164576122b7d5a2bab186536dc8f9a4980385e11cf59946114

SHA512
bb0fa967e03d98b9611006df2155bd8ad58a0e8b1a679d636b94ce931d316f18b61b801e018deca90d8e5a35fa744ae8c9e1a36f25c791052008c43af53a8117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\cryptography-44.0.0.dist-info\WHEEL

Filesize
94B

MD5
a868f93fcf51c4f1c25658d54f994349

SHA1
535c88a10911673deabb7889d365e81729e483a6

SHA256
1e7f5bcad669386a11e8ce14e715131c2d402693c3f41d713eb338493c658c45

SHA512
ec13cac9df03676640ef5da033e8c2faee63916f27cc27b9c43f0824b98ab4a6ecb4c8d7d039fa6674ef189bdd9265c8ed509c1d80dff610aeb9e081093aeb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\cryptography-44.0.0.dist-info\licenses\LICENSE

Filesize
197B

MD5
8c3617db4fb6fae01f1d253ab91511e4

SHA1
e442040c26cd76d1b946822caf29011a51f75d6d

SHA256
3e0c7c091a948b82533ba98fd7cbb40432d6f1a9acbf85f5922d2f99a93ae6bb

SHA512
77a1919e380730bcce5b55d76fbffba2f95874254fad955bd2fe1de7fc0e4e25b5fdaab0feffd6f230fa5dc895f593cf8bfedf8fdc113efbd8e22fadab0b8998

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\cryptography-44.0.0.dist-info\licenses\LICENSE.APACHE

Filesize
11KB

MD5
4e168cce331e5c827d4c2b68a6200e1b

SHA1
de33ead2bee64352544ce0aa9e410c0c44fdf7d9

SHA256
aac73b3148f6d1d7111dbca32099f68d26c644c6813ae1e4f05f6579aa2663fe

SHA512
f451048e81a49fbfa11b49de16ff46c52a8e3042d1bcc3a50aaf7712b097bed9ae9aed9149c21476c2a1e12f1583d4810a6d36569e993fe1ad3879942e5b0d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\cryptography-44.0.0.dist-info\licenses\LICENSE.BSD

Filesize
1KB

MD5
5ae30ba4123bc4f2fa49aa0b0dce887b

SHA1
ea5b412c09f3b29ba1d81a61b878c5c16ffe69d8

SHA256
602c4c7482de6479dd2e9793cda275e5e63d773dacd1eca689232ab7008fb4fb

SHA512
ddbb20c80adbc8f4118c10d3e116a5cd6536f72077c5916d87258e155be561b89eb45c6341a1e856ec308b49a4cb4dba1408eabd6a781fbe18d6c71c32b72c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.0MB

MD5
606a84af5a9cf8ad3cb0314e77fb7209

SHA1
6de88d8554488ffe3e48c9b14886da16d1703a69

SHA256
0693ffa4990fa8c1664485f3d2a41b581eac0b340d07d62242052a67bf2ed5c3

SHA512
97d451f025aefb487c5cea568eb430356adfe23908321f1c04f8fa4c03df87507eda8d9612c944be4fa733df4cec38a0e37bffd8865088064b749244d4321b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30842\frozenlist\_frozenlist.cp310-win_amd64.pyd

Filesize
36KB

MD5
219ad30aea7630a3696df28231405927

SHA1
ebaf69903305ea0803570cc2ff4cf43dd2bc812a

SHA256
06d38127de4cbd3243f861ea22897d490520e913f77011a37d915c4992433604

SHA512
72eb7323deb26931ea000690f85272ee71e19b2896af2b43ccd8bcfc3a299e0f8a7a3f1e339fbfe7c855e081cd94e21ae09ba3b8e2d16dbacddb838c31b4de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\_asyncio.pyd

Filesize
34KB

MD5
7d4f9a2b793e021f7e37b8448751ed4e

SHA1
0ea07b5024501aad5008655cfeae6d96b5da957a

SHA256
2293c1b6b0b901832a57a1c4dcb1265c9e92d21177195712c30632a7b63227d4

SHA512
af75452279c308c61c3e222a031a8201e47e8fe44c4e92cb7dab03d56c7e7e3e2a2c589f650c50e0b29e2df175d6f2ff50c8e5e589d17a124bf0a2e0d7886c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\_bz2.pyd

Filesize
46KB

MD5
6250a28b9d0bfefc1254bd78ece7ae9f

SHA1
4b07c8e18d23c8ae9d92d7b8d39ae20bc447aecd

SHA256
7d43f7105aa4f856239235c67f61044493ee6f95ddf04533189bf5ea98073f0b

SHA512
6d0aa5c3f8f5b268b94341dfdd5afbe48f91f9aac143bf59f7f5e8ba6f54205b85ec527c53498ed8860fdff6a8d08e48ec4e1652eeab2d3c89aaaf3a14fcaaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
7727212e7bdbf63b1a39fb7faad24265

SHA1
a8fdec19d6690081b2bf55247e8e17657a68ac97

SHA256
b0116303e1e903d6eb02a69d05879f38af1640813f4b110cb733ffff6e4e985c

SHA512
2b1a27642118dd228791d0d8ba307aa39ab2d9c7d3799cff9f3c0744fe270eeaefe5545a4fda6e74e86fee747e45bf5f6c9ac799950c2b483a16eb3ce85d816a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\_ctypes.pyd

Filesize
56KB

MD5
4b90108fabdd64577a84313c765a2946

SHA1
245f4628683a3e18bb6f0d1c88aa26fb959ed258

SHA256
e1b634628839a45ab08913463e07b6b6b7fd502396d768f43b21da2875b506a1

SHA512
91fa069d7cf61c57faad6355f6fd46d702576c4342460dadcedfdcbc07cd9d84486734f0561fa5e1e01668b384c3c07dd779b332f77d0bb6fbdbb8c0cb5091bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\_decimal.pyd

Filesize
103KB

MD5
20985dc78dbd1992382354af5ca28988

SHA1
385a3e7a7654e5e4c686399f3a72b235e941e311

SHA256
f3620cac68595b8a8495ab044f19a1c89012f50d2fe571b7a1721485f7ff2e43

SHA512
61b8ecd2d12b3f785773b98d4bf4af0eb6eb2c61fbea6effb77ec24b2127e888d0ea5fdd8cc298484e0f770d70c87907048fc382faace8e0ca6b49ab106c89f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\_hashlib.pyd

Filesize
33KB

MD5
3b5530f497ff7c127383d0029e680c35

SHA1
fb5dc554bb9ff49622184cc16883a7567115c7ca

SHA256
5971fcc9758b7f4a12cde2190a323f35a34ab7f97bd8c39cc8f3335223102573

SHA512
12ced7ddb0352f8eca3c3cb7c7c2faaf08e617b2dd278d20008051fb6b564b17c3e9ecfa8b0ffe7674154ad533dfbbf1e802accd5e1aef12ece01368da06e85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\_lzma.pyd

Filesize
84KB

MD5
8edbeeccb6f3dbb09389d99d45db5542

SHA1
f7e7af2851a5bf22de79a24fe594b5c0435fca8a

SHA256
90701973be6b23703e495f6a145bae251a7bb066d3c5f398ec42694fd06a069f

SHA512
2a8bf60f2280b9a947578bd7fd49c3ace8e010a3d4b38e370edb511ea0e125df688bbac369d6a3cec9d285a1fa2ad2dac18a0ef30fda46e49a9440418581e501

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\_multiprocessing.pyd

Filesize
25KB

MD5
4fbc5fd5da9da74c04fe0374387b34d3

SHA1
1e9c98db0486f98fb7d8eb9fa57a949494b649b5

SHA256
b2347790c87052623710382d3178887f68a79618d6da5174909f46b169236950

SHA512
ce87d4512c2ab7c1ad7986e8e1fe790615ae39c7667d234dfc09026ee7e1518b3bfbf7974612811db0c3e5654b35b54e118e23e624bebe027a51d2c8f2a4652a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\_overlapped.pyd

Filesize
30KB

MD5
5c1441f6ee11632183a83dac2d22853b

SHA1
eef732ff4bab9ea5c8fffb6a93c47cfc8e64dae2

SHA256
104e0b0e0e9fec9eb6438683296feeba298d5f23b02d2080577fc87ffec67acf

SHA512
e41d3433754a8a3d2c572bb7f3902c0d37cba2e6f3307f0e6dfed316a22b11ef7e52a73c30085fa89fcff603e4b76858abe761217c320e38fa2eb95d1777b595

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\_queue.pyd

Filesize
24KB

MD5
5c4c43763fb1a796134aa5734905c891

SHA1
44a5e1ae4806406a239129d77888bd87d291a410

SHA256
4edc80e7d331ba0e9338431d407157181190f995821d1cd24f7a7aa2422ece0c

SHA512
07bec7e4a85e76cfab2c21776b50ee2bd0454835fcb43b573dee757eca24cbeb4530784bae07de3be90820cee6d72023d9ded395d4f1a4931971db247dc1a71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\_socket.pyd

Filesize
41KB

MD5
53e72716073038c1dd1db65bfdb1254c

SHA1
7bf220a02a3b51aa51300b3a9ea7fa48358ca161

SHA256
e1fb6927ba2ed014d0ac750af0ee0bb3d49487dd6920848937259606e1e92e1d

SHA512
c10d91b6ec82402b0eb05dc31a4703c999f4988e88204b695e009fae5fdcc61e8a6dc4d2879ecf2babc030224048afd2f256b9e7f5c5b6f28762047813be0941

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\_sqlite3.pyd

Filesize
48KB

MD5
e7d68df8f65fbb0298a45519e2336f32

SHA1
ad3c84ad7eb75a61f287b1ba9fd2801567e39b6d

SHA256
2473ebaf52723c3751a12117ebbe974e50ecdaeb40b282a12ba4e6aa98492e79

SHA512
626204685e9b95310aba51be4a8abaf3b6e152fa35902f64f837303fc4011a4518ee393047ceb45bf377e9d965d169c92bfbb6673475150e159c59b7857ba03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\_ssl.pyd

Filesize
60KB

MD5
7e9d95ac47a2284706318656b4f711d3

SHA1
f085104709201c6e64635aeacf1da51599054e55

SHA256
38dcb3d0f217785b39c03d4c949dd1e04b70e9eade8a4ad83f026390684059c9

SHA512
294a5148d8fcddabd177b776617da7720d9876ac2a1cdf8dd7b9489f0f719600a634346cdfa07da66588de885b0a64d8cccde4d47edbf6305bd2af44ee209118

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\_uuid.pyd

Filesize
21KB

MD5
59cfd9669367517b384922b2485cb6a7

SHA1
1bd44298543204d61d4efd2cd3980ad01071360d

SHA256
e02bfad84786560b624efd56df55c88a4ffbd6c7cfc728bf68b6401aa10f849f

SHA512
d0dd041d8493c7c19db01ea8477981148726796ce2ab58d3193064123319bd5b68fd57871d1db0aaa08d07f78ab96a3d343051c33ffd406e96b921248ea32665

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\aiohttp\_http_parser.cp310-win_amd64.pyd

Filesize
81KB

MD5
23df1d1a4bfd29c6c0f89d1a42bbecbb

SHA1
b8e5686724223bd5e8ed0b7a3517cdc3005be66a

SHA256
10f7967a3c574caea10fd5a94c9b6eba405ed6afec402969424c143566593adc

SHA512
75a455a9eb96bd52f0d795188a1120ee14d36944c331d97b4c3da837238bd2928cff29df27c0f17093022d976c0c2e54189babd94c6dc927ac325216c340481a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\aiohttp\_http_writer.cp310-win_amd64.pyd

Filesize
24KB

MD5
b0e8cbf64f3728eee12e6e0756e67c95

SHA1
71bc5ae8847dac5d0737e6321833a37da655d538

SHA256
7a931c3108173c4d8cc4ed7304414fcd3ba67ceff81f84506dcdda8979f5f33b

SHA512
622126f5a1fc5e275680bb64648a8cac6a5eaf3e7d6a262f0002afc26cec6d9c3addbba257626ac54189b7f85e5abdfc3809954ce0437046fc64b643a4e8cb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\aiohttp\_websocket\mask.cp310-win_amd64.pyd

Filesize
19KB

MD5
2b5d378afb9aeb031ed1a84f5c216291

SHA1
7955e2ec7e7ffa13e58af098d37c480c8f23ccad

SHA256
1d44b957609599fdf3115bb47bd668f560b63d4d84c74c1f7bf1f3dc05246d6a

SHA512
9102a95c57024afddb67b6500ce1606a2bf5923aa66f67e21fec23c1efb1c9a0cd77c55417b25c7cdbcda119cd817ea4219a1fe321a2f9300f8bffa99d8b0a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\aiohttp\_websocket\reader_c.cp310-win_amd64.pyd

Filesize
61KB

MD5
2cb730463ee9a2360b568bb54ff283b1

SHA1
e63b5d62d281f153ab2c3487f4423bec259e1bd5

SHA256
17b026c18dc25b2f8842da41484e39c8e92bd3ff9fe0f6d03f9fdc389991e7ae

SHA512
a7891ba2619cc6910c47ffac153ba31a3b17f67f08654f7a1fed380b1f4951673573f5e5a59e45e4edc432b135dbb57bb82c3b4cbdfc265d0daa6fca587ab732

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\base_library.zip

Filesize
859KB

MD5
9b62388394601020bd24fa9e7b4e9e0a

SHA1
06023daf857014770ff38d4ebbd600ba03109f28

SHA256
a6993db44fde43c8fdbf3512db50060812924c95f6f60aeb80913380a0b4f3e1

SHA512
ac1bfebb36d844a0c5909b34fc1100ff2d1f88a0b71a75aa27b4d2b281a90dcb05259b874e4fdb300572a0c029db96e507b5caefdaf03cc32050dc2b728c654b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\libcrypto-1_1.dll

Filesize
1.1MB

MD5
86cfc84f8407ab1be6cc64a9702882ef

SHA1
86f3c502ed64df2a5e10b085103c2ffc9e3a4130

SHA256
11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307

SHA512
b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\libssl-1_1.dll

Filesize
203KB

MD5
6cd33578bc5629930329ca3303f0fae1

SHA1
f2f8e3248a72f98d27f0cfa0010e32175a18487f

SHA256
4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0

SHA512
c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\multidict\_multidict.cp310-win_amd64.pyd

Filesize
20KB

MD5
7f691747ce66d3ed05a7c2c53220c8b5

SHA1
1d3f247042030cf8cf7c859002941beba5d15776

SHA256
7d6472a0d7f1a0740c7fc0d0d0ea6f7c6e7cb2b11b8c623c46a6fae1adb4e228

SHA512
b01f0e91039fc5b2782caaa0b3d56d5d1fe9e94424cc536cde9eca73a76747736060042e345af9edc5ef5bf5c154705d2c2dddf35536f305306be25a955a9f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\propcache\_helpers_c.cp310-win_amd64.pyd

Filesize
31KB

MD5
9fe92acae9522cd0044146e1b57c23fa

SHA1
ec8875039a387bb4ac302cd533b2fe27dbe75b43

SHA256
622077d084db60b50c43a1923d60c02f1900fffa3b5a11dfd34328e6fd341362

SHA512
cdf5dae191f9b6c75d5698d49d1a55a00695ac896a0823357ea7bf3332683231cb10b1544ec12fab5cf5a15117a92af18e1266f29ed3d3ccbcb56ff46a421e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\pyexpat.pyd

Filesize
86KB

MD5
46331749084f98bcfe8631d74c5e038f

SHA1
5e5510f7a4d03f10d979e0d6a0d2a6f0e53ca347

SHA256
21cc4b9ccd69d08d7c1068b1f004ae9454f7ea0a322801860faf0e6f4a24a3df

SHA512
edd39ce2d927fb6700a86db07f4f56cab897ef91a320f3e5ecb542ea1be6888dd27a08008e5fa1df3765b0c82d1046a23c8d59e76d11f4e6449d4d6826879589

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\python3.DLL

Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\python310.dll

Filesize
1.4MB

MD5
fc7bd515b12e537a39dc93a09b3eaad6

SHA1
96f5d4b0967372553cb106539c5566bc184f6167

SHA256
461e008b7cdf034f99a566671b87849772873a175aefec6ed00732976f5c4164

SHA512
a8433d5b403f898e4eeebd72fce08ebad066ca60aeb0b70e2ae78377babc2acbbae2ac91ab20f813cce4b1dc58c2ad6b3868f18cc8ac0fe7be2bff020eb73122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\select.pyd

Filesize
24KB

MD5
3797a47a60b606e25348c67043874fe8

SHA1
63a33fedffd52190236a6acd0fc5d9d491e3ac45

SHA256
312e9b01d1632840983e8533d1685a64fb87e4538f724a7a59a71b1ba148bbac

SHA512
3eb7599825b7b21aaab05e420dd16d4a8eaa21652d232f6e4ede213a232b701401556e44df73cfa20ae855d1adc28304b52d42367b74ebd8e96c2e3d9a9b93e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\sqlite3.dll

Filesize
608KB

MD5
6a3a34c9c67efd6c17d44292e8db8fad

SHA1
339b1e514d60d8370eaec1e2f2b71cead999f970

SHA256
7b0e840165d65f0f5285476467e4c154c4d936613966b84948110a4614b9cad9

SHA512
6f2a1b670d28762745f0d3b961a331cbbb0dec244f8798734b911b3a3bc9519c73a3b26f1e1117725f6f1e880e57cadb562a1450659bca1aae353f6b9575d7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\unicodedata.pyd

Filesize
287KB

MD5
fed35db31377d515d198e5e446498be2

SHA1
62e388d17e17208ea0e881ccd96c75b7b1fbc5f7

SHA256
af3cdc9a2a1d923be67244429867a3c5c70835249e3573a03b98d08d148fe24b

SHA512
0985528cb0289086ec895e21a8947e04f732d5660460f2e7fa8668bd441c891438781c808bcea9294f348720e3752c10ea65363371f7e75ea48600d016bab72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46722\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
41KB

MD5
8640834733897205d9193e1b21084135

SHA1
e452ae2dbabcc8691233428dd1da5d23961b047d

SHA256
bd209ab04ba8a3a40546832380547a460b1257f4fb4b4012f6fc48f9c36cc476

SHA512
365805a31ed3ef7648fa2fac49fecc0646dd5dfcad8468918623d962db6aab08339f510edccdaf1340f8bfc06a4628c070de947cdec55cfabdc3563af2de43e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\attrs-24.3.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qyyc3dyn.x2m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/808-164-0x00007FFF636D0000-0x00007FFF636EB000-memory.dmp

Filesize
108KB

Download
memory/808-267-0x00007FFF66720000-0x00007FFF66735000-memory.dmp

Filesize
84KB

Download
memory/808-301-0x00007FFF63480000-0x00007FFF634CD000-memory.dmp

Filesize
308KB

Download
memory/808-308-0x00007FFF63420000-0x00007FFF63452000-memory.dmp

Filesize
200KB

Download
memory/808-204-0x00007FFF639D0000-0x00007FFF639F2000-memory.dmp

Filesize
136KB

Download
memory/808-205-0x00007FFF636D0000-0x00007FFF636EB000-memory.dmp

Filesize
108KB

Download
memory/808-186-0x00007FFF62EF0000-0x00007FFF62FA8000-memory.dmp

Filesize
736KB

Download
memory/808-306-0x00007FFF665C0000-0x00007FFF665CD000-memory.dmp

Filesize
52KB

Download
memory/808-315-0x00007FFF62D70000-0x00007FFF62DA7000-memory.dmp

Filesize
220KB

Download
memory/808-187-0x00007FFF62D70000-0x00007FFF62DA7000-memory.dmp

Filesize
220KB

Download
memory/808-128-0x00007FFF68C00000-0x00007FFF68C19000-memory.dmp

Filesize
100KB

Download
memory/808-132-0x00007FFF668D0000-0x00007FFF668E9000-memory.dmp

Filesize
100KB

Download
memory/808-311-0x00007FFF4F5F0000-0x00007FFF4FDEB000-memory.dmp

Filesize
8.0MB

Download
memory/808-134-0x00007FFF668A0000-0x00007FFF668CD000-memory.dmp

Filesize
180KB

Download
memory/808-136-0x00007FFF66880000-0x00007FFF6689F000-memory.dmp

Filesize
124KB

Download
memory/808-140-0x00007FFF66850000-0x00007FFF6687E000-memory.dmp

Filesize
184KB

Download
memory/808-185-0x00007FFF4F5F0000-0x00007FFF4FDEB000-memory.dmp

Filesize
8.0MB

Download
memory/808-184-0x00007FFF4FDF0000-0x00007FFF50165000-memory.dmp

Filesize
3.5MB

Download
memory/808-144-0x00007FFF62FB0000-0x00007FFF6341E000-memory.dmp

Filesize
4.4MB

Download
memory/808-183-0x000001760F4D0000-0x000001760F845000-memory.dmp

Filesize
3.5MB

Download
memory/808-145-0x00007FFF62EF0000-0x00007FFF62FA8000-memory.dmp

Filesize
736KB

Download
memory/808-182-0x00007FFF66850000-0x00007FFF6687E000-memory.dmp

Filesize
184KB

Download
memory/808-181-0x00007FFF62DB0000-0x00007FFF62DCE000-memory.dmp

Filesize
120KB

Download
memory/808-157-0x00007FFF4FDF0000-0x00007FFF50165000-memory.dmp

Filesize
3.5MB

Download
memory/808-158-0x00007FFF67970000-0x00007FFF67994000-memory.dmp

Filesize
144KB

Download
memory/808-159-0x00007FFF68AE0000-0x00007FFF68AF0000-memory.dmp

Filesize
64KB

Download
memory/808-160-0x00007FFF66700000-0x00007FFF66714000-memory.dmp

Filesize
80KB

Download
memory/808-161-0x00007FFF666E0000-0x00007FFF666F4000-memory.dmp

Filesize
80KB

Download
memory/808-162-0x00007FFF639D0000-0x00007FFF639F2000-memory.dmp

Filesize
136KB

Download
memory/808-163-0x00007FFF62DD0000-0x00007FFF62EE8000-memory.dmp

Filesize
1.1MB

Download
memory/808-169-0x00007FFF68C00000-0x00007FFF68C19000-memory.dmp

Filesize
100KB

Download
memory/808-170-0x00007FFF636B0000-0x00007FFF636C8000-memory.dmp

Filesize
96KB

Download
memory/808-175-0x00007FFF63480000-0x00007FFF634CD000-memory.dmp

Filesize
308KB

Download
memory/808-176-0x00007FFF63460000-0x00007FFF63471000-memory.dmp

Filesize
68KB

Download
memory/808-178-0x00007FFF63420000-0x00007FFF63452000-memory.dmp

Filesize
200KB

Download
memory/808-179-0x00007FFF67960000-0x00007FFF6796A000-memory.dmp

Filesize
40KB

Download
memory/808-180-0x00007FFF66880000-0x00007FFF6689F000-memory.dmp

Filesize
124KB

Download
memory/808-165-0x00007FFF66720000-0x00007FFF66735000-memory.dmp

Filesize
84KB

Download
memory/808-146-0x000001760F4D0000-0x000001760F845000-memory.dmp

Filesize
3.5MB

Download
memory/808-138-0x00007FFF634D0000-0x00007FFF63641000-memory.dmp

Filesize
1.4MB

Download
memory/808-130-0x00007FFF68AF0000-0x00007FFF68AFD000-memory.dmp

Filesize
52KB

Download
memory/808-126-0x00007FFF6CC80000-0x00007FFF6CC8F000-memory.dmp

Filesize
60KB

Download
memory/808-105-0x00007FFF67970000-0x00007FFF67994000-memory.dmp

Filesize
144KB

Download
memory/808-95-0x00007FFF62FB0000-0x00007FFF6341E000-memory.dmp

Filesize
4.4MB

Download
memory/2468-668-0x00007FFF4E440000-0x00007FFF4E4F8000-memory.dmp

Filesize
736KB

Download
memory/2468-658-0x00007FFF4F180000-0x00007FFF4F5EE000-memory.dmp

Filesize
4.4MB

Download
memory/3348-520-0x00007FFF62A10000-0x00007FFF62A25000-memory.dmp

Filesize
84KB

Download
memory/3348-529-0x00007FFF57E80000-0x00007FFF57E91000-memory.dmp

Filesize
68KB

Download
memory/3348-534-0x00007FFF4E240000-0x00007FFF4E277000-memory.dmp

Filesize
220KB

Download
memory/3348-533-0x00007FFF4E280000-0x00007FFF4EA7B000-memory.dmp

Filesize
8.0MB

Download
memory/3348-532-0x00007FFF4EA80000-0x00007FFF4EA9E000-memory.dmp

Filesize
120KB

Download
memory/3348-530-0x00007FFF52310000-0x00007FFF52342000-memory.dmp

Filesize
200KB

Download
memory/3348-508-0x00007FFF4F180000-0x00007FFF4F5EE000-memory.dmp

Filesize
4.4MB

Download
memory/3348-518-0x00007FFF4EF40000-0x00007FFF4EFF8000-memory.dmp

Filesize
736KB

Download
memory/3348-519-0x00007FFF4EBC0000-0x00007FFF4EF35000-memory.dmp

Filesize
3.5MB

Download
memory/3348-521-0x00007FFF62A00000-0x00007FFF62A10000-memory.dmp

Filesize
64KB

Download
memory/3348-522-0x00007FFF590F0000-0x00007FFF59104000-memory.dmp

Filesize
80KB

Download
memory/3348-524-0x00007FFF57EC0000-0x00007FFF57EE2000-memory.dmp

Filesize
136KB

Download
memory/3348-525-0x00007FFF4EAA0000-0x00007FFF4EBB8000-memory.dmp

Filesize
1.1MB

Download
memory/3348-526-0x00007FFF58000000-0x00007FFF5801B000-memory.dmp

Filesize
108KB

Download
memory/3348-527-0x00007FFF57EA0000-0x00007FFF57EB8000-memory.dmp

Filesize
96KB

Download
memory/3348-528-0x00007FFF52350000-0x00007FFF5239D000-memory.dmp

Filesize
308KB

Download
memory/5276-383-0x00007FFF62CA0000-0x00007FFF62CAD000-memory.dmp

Filesize
52KB

Download
memory/5276-348-0x00007FFF5C380000-0x00007FFF5C38A000-memory.dmp

Filesize
40KB

Download
memory/5276-343-0x000001900E320000-0x000001900E695000-memory.dmp

Filesize
3.5MB

Download
memory/5276-366-0x00007FFF62A80000-0x00007FFF62A95000-memory.dmp

Filesize
84KB

Download
memory/5276-367-0x00007FFF62C40000-0x00007FFF62C50000-memory.dmp

Filesize
64KB

Download
memory/5276-368-0x00007FFF62A40000-0x00007FFF62A54000-memory.dmp

Filesize
80KB

Download
memory/5276-354-0x00007FFF4F180000-0x00007FFF4F5EE000-memory.dmp

Filesize
4.4MB

Download
memory/5276-355-0x00007FFF62CD0000-0x00007FFF62CF4000-memory.dmp

Filesize
144KB

Download
memory/5276-356-0x00007FFF66A90000-0x00007FFF66A9F000-memory.dmp

Filesize
60KB

Download
memory/5276-371-0x00007FFF4EAA0000-0x00007FFF4EBB8000-memory.dmp

Filesize
1.1MB

Download
memory/5276-380-0x00007FFF4B6C0000-0x00007FFF4B6F7000-memory.dmp

Filesize
220KB

Download
memory/5276-342-0x00007FFF52350000-0x00007FFF5239D000-memory.dmp

Filesize
308KB

Download
memory/5276-341-0x00007FFF62AD0000-0x00007FFF62AEF000-memory.dmp

Filesize
124KB

Download
memory/5276-340-0x00007FFF58020000-0x00007FFF58038000-memory.dmp

Filesize
96KB

Download
memory/5276-339-0x00007FFF4F000000-0x00007FFF4F171000-memory.dmp

Filesize
1.4MB

Download
memory/5276-370-0x00007FFF59130000-0x00007FFF59152000-memory.dmp

Filesize
136KB

Download
memory/5276-268-0x00007FFF4F180000-0x00007FFF4F5EE000-memory.dmp

Filesize
4.4MB

Download
memory/5276-362-0x00007FFF4F000000-0x00007FFF4F171000-memory.dmp

Filesize
1.4MB

Download
memory/5276-365-0x00007FFF4EBC0000-0x00007FFF4EF35000-memory.dmp

Filesize
3.5MB

Download
memory/5276-372-0x00007FFF62A00000-0x00007FFF62A1B000-memory.dmp

Filesize
108KB

Download
memory/5276-373-0x00007FFF58020000-0x00007FFF58038000-memory.dmp

Filesize
96KB

Download
memory/5276-375-0x00007FFF58000000-0x00007FFF58011000-memory.dmp

Filesize
68KB

Download
memory/5276-376-0x00007FFF52310000-0x00007FFF52342000-memory.dmp

Filesize
200KB

Download
memory/5276-378-0x00007FFF4B9B0000-0x00007FFF4B9CE000-memory.dmp

Filesize
120KB

Download
memory/5276-379-0x00007FFF461E0000-0x00007FFF469DB000-memory.dmp

Filesize
8.0MB

Download
memory/5276-381-0x00007FFF62AD0000-0x00007FFF62AEF000-memory.dmp

Filesize
124KB

Download
memory/5276-382-0x00007FFF62C80000-0x00007FFF62C99000-memory.dmp

Filesize
100KB

Download
memory/5276-369-0x00007FFF62A20000-0x00007FFF62A34000-memory.dmp

Filesize
80KB

Download
memory/5276-384-0x00007FFF4EF40000-0x00007FFF4EFF8000-memory.dmp

Filesize
736KB

Download
memory/5276-357-0x00007FFF62CB0000-0x00007FFF62CC9000-memory.dmp

Filesize
100KB

Download
memory/5276-345-0x00007FFF62AA0000-0x00007FFF62ACE000-memory.dmp

Filesize
184KB

Download
memory/5276-346-0x00007FFF4EBC0000-0x00007FFF4EF35000-memory.dmp

Filesize
3.5MB

Download
memory/5276-347-0x00007FFF58000000-0x00007FFF58011000-memory.dmp

Filesize
68KB

Download
memory/5276-351-0x00007FFF461E0000-0x00007FFF469DB000-memory.dmp

Filesize
8.0MB

Download
memory/5276-353-0x00007FFF4B6C0000-0x00007FFF4B6F7000-memory.dmp

Filesize
220KB

Download
memory/5276-344-0x00007FFF52310000-0x00007FFF52342000-memory.dmp

Filesize
200KB

Download
memory/5276-350-0x00007FFF4B9B0000-0x00007FFF4B9CE000-memory.dmp

Filesize
120KB

Download
memory/5276-349-0x00007FFF62A80000-0x00007FFF62A95000-memory.dmp

Filesize
84KB

Download
memory/5276-316-0x00007FFF4F180000-0x00007FFF4F5EE000-memory.dmp

Filesize
4.4MB

Download
memory/5276-319-0x000001900E320000-0x000001900E695000-memory.dmp

Filesize
3.5MB

Download
memory/5276-320-0x00007FFF4EF40000-0x00007FFF4EFF8000-memory.dmp

Filesize
736KB

Download
memory/5276-321-0x00007FFF62A80000-0x00007FFF62A95000-memory.dmp

Filesize
84KB

Download
memory/5276-322-0x00007FFF62CD0000-0x00007FFF62CF4000-memory.dmp

Filesize
144KB

Download
memory/5276-325-0x00007FFF62CB0000-0x00007FFF62CC9000-memory.dmp

Filesize
100KB

Download
memory/5276-327-0x00007FFF59130000-0x00007FFF59152000-memory.dmp

Filesize
136KB

Download
memory/5276-328-0x00007FFF4EAA0000-0x00007FFF4EBB8000-memory.dmp

Filesize
1.1MB

Download
memory/5276-329-0x00007FFF62A00000-0x00007FFF62A1B000-memory.dmp

Filesize
108KB

Download
memory/5276-326-0x00007FFF62A20000-0x00007FFF62A34000-memory.dmp

Filesize
80KB

Download
memory/5276-324-0x00007FFF62A40000-0x00007FFF62A54000-memory.dmp

Filesize
80KB

Download
memory/5276-323-0x00007FFF62C40000-0x00007FFF62C50000-memory.dmp

Filesize
64KB

Download
memory/5276-317-0x00007FFF62AA0000-0x00007FFF62ACE000-memory.dmp

Filesize
184KB

Download
memory/5276-318-0x00007FFF4EBC0000-0x00007FFF4EF35000-memory.dmp

Filesize
3.5MB

Download
memory/5276-312-0x00007FFF62C50000-0x00007FFF62C7D000-memory.dmp

Filesize
180KB

Download
memory/5276-313-0x00007FFF4F000000-0x00007FFF4F171000-memory.dmp

Filesize
1.4MB

Download
memory/5276-314-0x00007FFF62AD0000-0x00007FFF62AEF000-memory.dmp

Filesize
124KB

Download
memory/5276-309-0x00007FFF62CA0000-0x00007FFF62CAD000-memory.dmp

Filesize
52KB

Download
memory/5276-310-0x00007FFF62C80000-0x00007FFF62C99000-memory.dmp

Filesize
100KB

Download
memory/5276-307-0x00007FFF62CB0000-0x00007FFF62CC9000-memory.dmp

Filesize
100KB

Download
memory/5276-302-0x00007FFF66A90000-0x00007FFF66A9F000-memory.dmp

Filesize
60KB

Download
memory/5276-270-0x00007FFF62CD0000-0x00007FFF62CF4000-memory.dmp

Filesize
144KB

Download
memory/5292-0-0x00007FFF51773000-0x00007FFF51775000-memory.dmp

Filesize
8KB

Download
memory/5292-96-0x00007FFF51770000-0x00007FFF52232000-memory.dmp

Filesize
10.8MB

Download
memory/5292-19-0x00007FFF51770000-0x00007FFF52232000-memory.dmp

Filesize
10.8MB

Download
memory/5292-1-0x0000000000EB0000-0x0000000001C70000-memory.dmp

Filesize
13.8MB

Download
memory/5572-18-0x00007FFF51770000-0x00007FFF52232000-memory.dmp

Filesize
10.8MB

Download
memory/5572-15-0x00007FFF51770000-0x00007FFF52232000-memory.dmp

Filesize
10.8MB

Download
memory/5572-14-0x00007FFF51770000-0x00007FFF52232000-memory.dmp

Filesize
10.8MB

Download
memory/5572-13-0x00007FFF51770000-0x00007FFF52232000-memory.dmp

Filesize
10.8MB

Download
memory/5572-12-0x00007FFF51770000-0x00007FFF52232000-memory.dmp

Filesize
10.8MB

Download
memory/5572-11-0x00007FFF51770000-0x00007FFF52232000-memory.dmp

Filesize
10.8MB

Download
memory/5572-8-0x000002627ACF0000-0x000002627AD12000-memory.dmp

Filesize
136KB

Download