b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd

Resubmissions

12/01/2025, 14:35

250112-rx8vssyndp 10

12/01/2025, 06:09

250112-gwmwtszmbt 10

Analysis

max time kernel
900s
max time network
840s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12/01/2025, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara.exe
Size

13.7MB
MD5

cc6d7a6b17febe201b7f7d26ce944c08
SHA1

231e8439c0facca7cc4b730bf950351d48e3a7c2
SHA256

b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd
SHA512

c2abd5a8a59e09951df3d17b591442097cb2615a57abbef9afee9660dcd59ece483ca9a6ab4e83a622235eef4c75ef64dc2b32b58829cef8c485e1517e9ba652
SSDEEP

393216:KsEANEX3gBGYVwwoE0VhUqE7SlO9h4m/a360m:KhIEX3kGN/XBEWs4EA60m

Score

8^/10

execution persistence pyinstaller upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
7312	Process not Found
964	powershell.exe
5144	powershell.exe
4344	Process not Found
1572	Process not Found
5556	powershell.exe
7476	Process not Found
2180	powershell.exe
3556	powershell.exe
4924	powershell.exe
3964	powershell.exe
2624	powershell.exe
6016	powershell.exe
1924	Process not Found
2908	powershell.exe
5096	powershell.exe
5420	powershell.exe
3744	Process not Found
7268	Process not Found
2960	powershell.exe
5032	powershell.exe
3372	powershell.exe
5904	Process not Found
5088	powershell.exe
5428	powershell.exe
1976	powershell.exe
2556	powershell.exe
4972	powershell.exe
3708	powershell.exe
6668	Process not Found
7372	Process not Found
2024	powershell.exe
3188	powershell.exe
4972	powershell.exe
2608	Process not Found
1040	powershell.exe
3920	powershell.exe
4876	powershell.exe
4176	Process not Found
7872	Process not Found
6520	Process not Found
3504	powershell.exe
808	powershell.exe
5112	powershell.exe
4176	Process not Found
7256	Process not Found
1296	powershell.exe
4892	powershell.exe
4908	powershell.exe
6348	Process not Found
7048	Process not Found
6224	Process not Found
8120	Process not Found
7848	Process not Found
1628	powershell.exe
4680	powershell.exe
4184	Process not Found
4280	Process not Found
5420	powershell.exe
7208	Process not Found
2868	powershell.exe
2192	powershell.exe
4068	powershell.exe
5144	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
2116	Exela.exe
1452	Exela.exe
1544	Exela.exe
1828	Exela.exe
1244	Process not Found
1164	Exela.exe
1984	Exela.exe
2852	Exela.exe
1924	Exela.exe
2384	Exela.exe
2632	Exela.exe
272	Exela.exe
1136	Exela.exe
2404	Exela.exe
1632	Exela.exe
1060	Exela.exe
1560	Exela.exe
484	Exela.exe
2788	Exela.exe
2620	Exela.exe
1524	Exela.exe
2008	Exela.exe
1916	Exela.exe
2720	Exela.exe
2328	Exela.exe
2060	Exela.exe
2224	Exela.exe
1568	Exela.exe
2560	Exela.exe
2352	Exela.exe
2764	Exela.exe
720	Exela.exe
1688	Exela.exe
1828	Exela.exe
2908	Exela.exe
1040	Exela.exe
1020	Exela.exe
2292	Exela.exe
2728	Exela.exe
2744	Exela.exe
2876	Exela.exe
2900	Exela.exe
1940	Exela.exe
2492	Exela.exe
2188	Exela.exe
2816	Exela.exe
2336	Exela.exe
1004	Exela.exe
552	Exela.exe
2932	Exela.exe
320	Exela.exe
1924	Exela.exe
1112	Exela.exe
1832	Exela.exe
1976	Exela.exe
2780	Exela.exe
2596	Exela.exe
1036	Exela.exe
684	Exela.exe
2968	Exela.exe
1012	Exela.exe
2848	Exela.exe
2020	Exela.exe
772	Exela.exe

Loads dropped DLL 64 IoCs

pid	Process
2548	Solara.exe
2116	Exela.exe
1452	Exela.exe
2956	Solara.exe
1544	Exela.exe
1828	Exela.exe
3024	Solara.exe
1164	Exela.exe
1984	Exela.exe
1836	Solara.exe
2852	Exela.exe
1924	Exela.exe
2312	Solara.exe
2384	Exela.exe
2632	Exela.exe
2188	Solara.exe
272	Exela.exe
1136	Exela.exe
1384	Solara.exe
2404	Exela.exe
1632	Exela.exe
2972	Solara.exe
1060	Exela.exe
1560	Exela.exe
2980	Solara.exe
484	Exela.exe
2788	Exela.exe
1708	Solara.exe
2620	Exela.exe
1524	Exela.exe
1276	Solara.exe
2008	Exela.exe
1916	Exela.exe
1092	Solara.exe
2720	Exela.exe
2328	Exela.exe
3056	Solara.exe
2060	Exela.exe
2224	Exela.exe
1968	Solara.exe
1568	Exela.exe
2560	Exela.exe
1512	Solara.exe
2352	Exela.exe
2764	Exela.exe
3024	Solara.exe
720	Exela.exe
1688	Exela.exe
1004	Solara.exe
1828	Exela.exe
2908	Exela.exe
1836	Solara.exe
1040	Exela.exe
1020	Exela.exe
2600	Solara.exe
2292	Exela.exe
2728	Exela.exe
2520	Solara.exe
2744	Exela.exe
2876	Exela.exe
2920	Solara.exe
2900	Exela.exe
1940	Exela.exe
3024	Solara.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a50a-70.dat	upx
behavioral1/memory/1452-72-0x000007FEF4150000-0x000007FEF45BE000-memory.dmp	upx
behavioral1/memory/1828-136-0x000007FEF3CE0000-0x000007FEF414E000-memory.dmp	upx
behavioral1/memory/1924-263-0x000007FEF3870000-0x000007FEF3CDE000-memory.dmp	upx
behavioral1/files/0x000600000001a4dc-355.dat	upx
behavioral1/files/0x000600000001a4f2-361.dat	upx
behavioral1/files/0x000600000001bfa8-367.dat	upx
behavioral1/files/0x000600000001ad6c-366.dat	upx
behavioral1/files/0x000600000001a5e0-365.dat	upx
behavioral1/files/0x000600000001a5ad-364.dat	upx
behavioral1/memory/2632-372-0x000007FEF3400000-0x000007FEF386E000-memory.dmp	upx
behavioral1/files/0x000600000001a4ee-360.dat	upx
behavioral1/files/0x000600000001a4e7-359.dat	upx
behavioral1/files/0x000600000001a4e3-358.dat	upx
behavioral1/files/0x000600000001a4e1-357.dat	upx
behavioral1/files/0x000600000001a4de-356.dat	upx
behavioral1/files/0x000600000001a4d8-354.dat	upx
behavioral1/files/0x000600000001a4ab-340.dat	upx
behavioral1/files/0x000600000001a4a5-339.dat	upx
behavioral1/files/0x000600000001a494-338.dat	upx
behavioral1/files/0x000600000001a489-337.dat	upx
behavioral1/files/0x000600000001a467-336.dat	upx
behavioral1/files/0x000600000001a42d-335.dat	upx
behavioral1/files/0x000600000001a423-334.dat	upx
behavioral1/files/0x000600000001a41f-333.dat	upx
behavioral1/files/0x000600000001a41c-332.dat	upx
behavioral1/files/0x000600000001a41a-331.dat	upx
behavioral1/files/0x000600000001a355-330.dat	upx
behavioral1/files/0x000700000001a303-329.dat	upx
behavioral1/files/0x000900000001946b-328.dat	upx
behavioral1/files/0x000700000001941b-327.dat	upx
behavioral1/files/0x000700000001939c-326.dat	upx
behavioral1/files/0x000700000001938e-325.dat	upx
behavioral1/files/0x0008000000019377-323.dat	upx
behavioral1/files/0x000700000001938a-324.dat	upx
behavioral1/memory/1136-436-0x000007FEF2F90000-0x000007FEF33FE000-memory.dmp	upx
behavioral1/memory/1560-555-0x000007FEF2B20000-0x000007FEF2F8E000-memory.dmp	upx
behavioral1/memory/2788-611-0x000007FEF26B0000-0x000007FEF2B1E000-memory.dmp	upx
behavioral1/memory/1524-712-0x000007FEF2240000-0x000007FEF26AE000-memory.dmp	upx
behavioral1/memory/1916-767-0x000007FEEFAF0000-0x000007FEEFF5E000-memory.dmp	upx
behavioral1/memory/2224-880-0x000007FEEF0F0000-0x000007FEEF55E000-memory.dmp	upx
behavioral1/memory/2560-937-0x000007FEEEC80000-0x000007FEEF0EE000-memory.dmp	upx
behavioral1/memory/2764-1039-0x000007FEEE810000-0x000007FEEEC7E000-memory.dmp	upx
behavioral1/memory/1688-1096-0x000007FEEE3A0000-0x000007FEEE80E000-memory.dmp	upx
behavioral1/memory/1020-1211-0x000007FEEDF30000-0x000007FEEE39E000-memory.dmp	upx
behavioral1/memory/2728-1270-0x000007FEEDAC0000-0x000007FEEDF2E000-memory.dmp	upx
behavioral1/memory/2876-1374-0x000007FEED650000-0x000007FEEDABE000-memory.dmp	upx
behavioral1/memory/1940-1434-0x000007FEED1E0000-0x000007FEED64E000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000a00000001202b-18.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2160	powershell.exe
2960	powershell.exe
2352	powershell.exe
2884	powershell.exe
1144	powershell.exe
2632	powershell.exe
2200	powershell.exe
2124	powershell.exe
796	powershell.exe
2464	powershell.exe
1840	powershell.exe
2072	powershell.exe
2344	powershell.exe
2704	powershell.exe
2340	powershell.exe
2888	powershell.exe
2000	powershell.exe
2612	powershell.exe
1384	powershell.exe
2956	powershell.exe
2396	powershell.exe
2284	powershell.exe
2808	powershell.exe
2868	powershell.exe
912	powershell.exe
1596	powershell.exe
2520	powershell.exe
1032	powershell.exe
1964	powershell.exe
2348	powershell.exe
1976	powershell.exe
2576	powershell.exe
2324	powershell.exe
2440	powershell.exe
2180	powershell.exe
2076	powershell.exe
780	powershell.exe
1600	powershell.exe
2236	powershell.exe
2800	powershell.exe
1976	powershell.exe
1156	powershell.exe
2872	powershell.exe
1052	powershell.exe
1236	powershell.exe
1628	powershell.exe
1512	powershell.exe
1068	powershell.exe
1832	powershell.exe
2332	powershell.exe
1656	powershell.exe
1068	powershell.exe
2236	powershell.exe
1928	powershell.exe
3016	powershell.exe
2712	powershell.exe
1824	powershell.exe
1220	powershell.exe
2200	powershell.exe
568	powershell.exe
2260	powershell.exe
1544	powershell.exe
1960	powershell.exe
604	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
684	Exela.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	604	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2160	2548	Solara.exe	30
PID 2548 wrote to memory of 2160	2548	Solara.exe	30
PID 2548 wrote to memory of 2160	2548	Solara.exe	30
PID 2548 wrote to memory of 2956	2548	Solara.exe	97
PID 2548 wrote to memory of 2956	2548	Solara.exe	97
PID 2548 wrote to memory of 2956	2548	Solara.exe	97
PID 2548 wrote to memory of 2960	2548	Solara.exe	33
PID 2548 wrote to memory of 2960	2548	Solara.exe	33
PID 2548 wrote to memory of 2960	2548	Solara.exe	33
PID 2548 wrote to memory of 2116	2548	Solara.exe	35
PID 2548 wrote to memory of 2116	2548	Solara.exe	35
PID 2548 wrote to memory of 2116	2548	Solara.exe	35
PID 2116 wrote to memory of 1452	2116	Exela.exe	36
PID 2116 wrote to memory of 1452	2116	Exela.exe	36
PID 2116 wrote to memory of 1452	2116	Exela.exe	36
PID 2956 wrote to memory of 2352	2956	Solara.exe	134
PID 2956 wrote to memory of 2352	2956	Solara.exe	134
PID 2956 wrote to memory of 2352	2956	Solara.exe	134
PID 2956 wrote to memory of 3024	2956	Solara.exe	131
PID 2956 wrote to memory of 3024	2956	Solara.exe	131
PID 2956 wrote to memory of 3024	2956	Solara.exe	131
PID 2956 wrote to memory of 2884	2956	Solara.exe	60
PID 2956 wrote to memory of 2884	2956	Solara.exe	60
PID 2956 wrote to memory of 2884	2956	Solara.exe	60
PID 2956 wrote to memory of 1544	2956	Solara.exe	165
PID 2956 wrote to memory of 1544	2956	Solara.exe	165
PID 2956 wrote to memory of 1544	2956	Solara.exe	165
PID 1544 wrote to memory of 1828	1544	Exela.exe	148
PID 1544 wrote to memory of 1828	1544	Exela.exe	148
PID 1544 wrote to memory of 1828	1544	Exela.exe	148
PID 3024 wrote to memory of 1144	3024	Solara.exe	44
PID 3024 wrote to memory of 1144	3024	Solara.exe	44
PID 3024 wrote to memory of 1144	3024	Solara.exe	44
PID 3024 wrote to memory of 1836	3024	Solara.exe	145
PID 3024 wrote to memory of 1836	3024	Solara.exe	145
PID 3024 wrote to memory of 1836	3024	Solara.exe	145
PID 3024 wrote to memory of 2632	3024	Solara.exe	65
PID 3024 wrote to memory of 2632	3024	Solara.exe	65
PID 3024 wrote to memory of 2632	3024	Solara.exe	65
PID 3024 wrote to memory of 1164	3024	Solara.exe	49
PID 3024 wrote to memory of 1164	3024	Solara.exe	49
PID 3024 wrote to memory of 1164	3024	Solara.exe	49
PID 1164 wrote to memory of 1984	1164	Exela.exe	50
PID 1164 wrote to memory of 1984	1164	Exela.exe	50
PID 1164 wrote to memory of 1984	1164	Exela.exe	50
PID 1836 wrote to memory of 2200	1836	Solara.exe	51
PID 1836 wrote to memory of 2200	1836	Solara.exe	51
PID 1836 wrote to memory of 2200	1836	Solara.exe	51
PID 1836 wrote to memory of 2312	1836	Solara.exe	53
PID 1836 wrote to memory of 2312	1836	Solara.exe	53
PID 1836 wrote to memory of 2312	1836	Solara.exe	53
PID 1836 wrote to memory of 2124	1836	Solara.exe	147
PID 1836 wrote to memory of 2124	1836	Solara.exe	147
PID 1836 wrote to memory of 2124	1836	Solara.exe	147
PID 1836 wrote to memory of 2852	1836	Solara.exe	56
PID 1836 wrote to memory of 2852	1836	Solara.exe	56
PID 1836 wrote to memory of 2852	1836	Solara.exe	56
PID 2852 wrote to memory of 1924	2852	Exela.exe	57
PID 2852 wrote to memory of 1924	2852	Exela.exe	57
PID 2852 wrote to memory of 1924	2852	Exela.exe	57
PID 2312 wrote to memory of 796	2312	Solara.exe	59
PID 2312 wrote to memory of 796	2312	Solara.exe	59
PID 2312 wrote to memory of 796	2312	Solara.exe	59
PID 2312 wrote to memory of 2188	2312	Solara.exe	184

C:\Users\Admin\AppData\Local\Temp\Solara.exe
C:\Users\Admin\AppData\Local\Temp\Solara.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Users\Admin\AppData\Local\Temp\Solara.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- - C:\Users\Admin\AppData\Local\Temp\Solara.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1144
  - - C:\Users\Admin\AppData\Local\Temp\Solara.exe
      "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
      4⤵
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
    - - C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
      - C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        6⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        7⤵
        Loads dropped DLL
        
        PID:1384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        8⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        9⤵
        Loads dropped DLL
        
        PID:2980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        10⤵
        Loads dropped DLL
        
        PID:1708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        11⤵
        Loads dropped DLL
        
        PID:1276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        12⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        13⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        13⤵
        Loads dropped DLL
        
        PID:3056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        14⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        14⤵
        Loads dropped DLL
        
        PID:1968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        15⤵
        Loads dropped DLL
        
        PID:1512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        16⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        16⤵
        Loads dropped DLL
        
        PID:3024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        17⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        17⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        18⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        18⤵
        Loads dropped DLL
        
        PID:1836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        19⤵
        Loads dropped DLL
        
        PID:2600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        20⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        20⤵
        Loads dropped DLL
        
        PID:2520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        21⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        21⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        22⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:3024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        23⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        23⤵
        
        PID:2496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        24⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        24⤵
        
        PID:2540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        25⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        25⤵
        
        PID:2812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        26⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        26⤵
        
        PID:1532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        27⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        27⤵
        
        PID:2452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        28⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        28⤵
        
        PID:2124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        29⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        29⤵
        
        PID:1144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        30⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        30⤵
        
        PID:2424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        31⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        31⤵
        
        PID:2116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        32⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        32⤵
        
        PID:2236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        33⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        33⤵
        
        PID:3048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        34⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        34⤵
        
        PID:2384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        35⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        35⤵
        Adds Run key to start application
        
        PID:2040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        36⤵
        
        PID:1628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        37⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        37⤵
        
        PID:2608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        38⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        38⤵
        Adds Run key to start application
        
        PID:892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        39⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        39⤵
        
        PID:2708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        40⤵
        Adds Run key to start application
        
        PID:2404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        41⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        41⤵
        
        PID:944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        42⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        42⤵
        Adds Run key to start application
        
        PID:848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        43⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        43⤵
        
        PID:1060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        44⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        44⤵
        
        PID:2400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        45⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        45⤵
        
        PID:572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        46⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        46⤵
        
        PID:1684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        47⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        47⤵
        
        PID:2700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        48⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        48⤵
        
        PID:1144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        49⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        49⤵
        Adds Run key to start application
        
        PID:1416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        50⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        50⤵
        Adds Run key to start application
        
        PID:2332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        51⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        51⤵
        
        PID:2788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        52⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        52⤵
        
        PID:2740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        53⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        53⤵
        
        PID:1984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        54⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        54⤵
        
        PID:2660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        55⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        55⤵
        
        PID:2200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        56⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        56⤵
        
        PID:1984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        57⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        57⤵
        
        PID:3012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        58⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        58⤵
        
        PID:1560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        59⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        59⤵
        
        PID:380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        60⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        60⤵
        
        PID:2740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        61⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        61⤵
        
        PID:2328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        62⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        62⤵
        
        PID:1916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        63⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        63⤵
        
        PID:2588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        64⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        64⤵
        
        PID:380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        65⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        65⤵
        
        PID:936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        66⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        66⤵
        
        PID:1628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        67⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        67⤵
        
        PID:2284
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        68⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        68⤵
        
        PID:912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        69⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        69⤵
        
        PID:1136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        70⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        70⤵
        Adds Run key to start application
        
        PID:2704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        71⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        71⤵
        
        PID:2236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        72⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        72⤵
        
        PID:1960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        73⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        73⤵
        Adds Run key to start application
        
        PID:3000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        74⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        74⤵
        Adds Run key to start application
        
        PID:2352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        75⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        75⤵
        
        PID:2804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        76⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        76⤵
        
        PID:2636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        77⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        77⤵
        
        PID:2792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        78⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        78⤵
        
        PID:2004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        79⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        79⤵
        Adds Run key to start application
        
        PID:1380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        80⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        80⤵
        
        PID:2804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        81⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        81⤵
        
        PID:1260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        82⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        82⤵
        
        PID:880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        83⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        83⤵
        
        PID:1040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        84⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        84⤵
        Adds Run key to start application
        
        PID:2496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        85⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        85⤵
        
        PID:2804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        86⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        86⤵
        
        PID:3456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        87⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        87⤵
        Adds Run key to start application
        
        PID:3912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        88⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        88⤵
        Adds Run key to start application
        
        PID:3280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        89⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        89⤵
        
        PID:3996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        90⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        90⤵
        
        PID:3344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        91⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        91⤵
        
        PID:3980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        92⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        92⤵
        
        PID:2876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        93⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        93⤵
        
        PID:4076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        94⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        94⤵
        Adds Run key to start application
        
        PID:2956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        95⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        95⤵
        
        PID:3792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        96⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        96⤵
        
        PID:2744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        97⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        97⤵
        
        PID:3076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        98⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        98⤵
        
        PID:3164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        99⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        99⤵
        
        PID:3104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        100⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        100⤵
        
        PID:3644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        101⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        101⤵
        Adds Run key to start application
        
        PID:3496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        102⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        102⤵
        
        PID:3480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        103⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        103⤵
        
        PID:3280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        104⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        104⤵
        
        PID:3104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        105⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        105⤵
        
        PID:3800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        106⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        106⤵
        Adds Run key to start application
        
        PID:3196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        107⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        107⤵
        
        PID:3552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        108⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        108⤵
        
        PID:3480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        109⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        109⤵
        
        PID:3904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        110⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        110⤵
        
        PID:2996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        111⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        111⤵
        
        PID:3460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        112⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        112⤵
        
        PID:3484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        113⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        113⤵
        Adds Run key to start application
        
        PID:4016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        114⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        114⤵
        
        PID:3944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        115⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        115⤵
        
        PID:2552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        116⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        116⤵
        Adds Run key to start application
        
        PID:3300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        117⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        117⤵
        Adds Run key to start application
        
        PID:3484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        118⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        118⤵
        
        PID:2068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        119⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        119⤵
        
        PID:3828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        120⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        120⤵
        
        PID:2064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        121⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        121⤵
        
        PID:3252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        122⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        122⤵
        Adds Run key to start application
        
        PID:3352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        123⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        123⤵
        
        PID:1492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        124⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        124⤵
        
        PID:3500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        125⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        125⤵
        
        PID:2196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        126⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        126⤵
        
        PID:2760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        127⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        127⤵
        
        PID:3796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        128⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        128⤵
        
        PID:3524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        129⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        129⤵
        
        PID:3176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        130⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        130⤵
        Adds Run key to start application
        
        PID:3748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        131⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        131⤵
        
        PID:2860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        132⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        132⤵
        
        PID:2240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        133⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        133⤵
        
        PID:5080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        134⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        134⤵
        
        PID:5064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        135⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        135⤵
        Adds Run key to start application
        
        PID:3964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        136⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        136⤵
        
        PID:5000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        137⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        137⤵
        
        PID:4892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        138⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        138⤵
        
        PID:4924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        139⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        139⤵
        
        PID:5028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        140⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        140⤵
        
        PID:4764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        141⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        141⤵
        
        PID:5028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        142⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        142⤵
        Adds Run key to start application
        
        PID:2240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        143⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        143⤵
        
        PID:5072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        144⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        144⤵
        
        PID:4000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        145⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        145⤵
        
        PID:3596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        146⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        146⤵
        Adds Run key to start application
        
        PID:1924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        147⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        147⤵
        
        PID:3824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        148⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        148⤵
        
        PID:3156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        149⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        149⤵
        
        PID:1156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        150⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        150⤵
        
        PID:4772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        151⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        151⤵
        
        PID:4848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        152⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        152⤵
        
        PID:2860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        153⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        153⤵
        
        PID:3936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        154⤵
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        154⤵
        Adds Run key to start application
        
        PID:5512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        155⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        155⤵
        
        PID:5964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        156⤵
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        156⤵
        Adds Run key to start application
        
        PID:5312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        157⤵
        
        PID:5672
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        157⤵
        
        PID:5772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        158⤵
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        158⤵
        
        PID:4812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        159⤵
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        159⤵
        Adds Run key to start application
        
        PID:5648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        160⤵
        
        PID:5860
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        160⤵
        Adds Run key to start application
        
        PID:4848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        161⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        161⤵
        Adds Run key to start application
        
        PID:5640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        162⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        162⤵
        Adds Run key to start application
        
        PID:6124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        163⤵
        
        PID:5480
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        163⤵
        
        PID:5496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        164⤵
        
        PID:5668
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        164⤵
        Adds Run key to start application
        
        PID:6020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        165⤵
        
        PID:5344
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        165⤵
        
        PID:5560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        166⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        166⤵
        
        PID:4904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        167⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        167⤵
        Adds Run key to start application
        
        PID:5808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        168⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        168⤵
        
        PID:6088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        169⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        169⤵
        
        PID:5352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        170⤵
        
        PID:5160
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        170⤵
        
        PID:5272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        171⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        171⤵
        Adds Run key to start application
        
        PID:5152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        172⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        172⤵
        
        PID:3848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        173⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        173⤵
        
        PID:6024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        174⤵
        
        PID:5244
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        174⤵
        
        PID:5360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        175⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        175⤵
        
        PID:5592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        176⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        176⤵
        Adds Run key to start application
        
        PID:4032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        177⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        177⤵
        
        PID:6116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        178⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        178⤵
        
        PID:6104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        179⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        179⤵
        
        PID:5784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        180⤵
        
        PID:5668
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        180⤵
        
        PID:5336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        181⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        181⤵
        
        PID:5184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        182⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        182⤵
        
        PID:6088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        183⤵
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        183⤵
        
        PID:1924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        184⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        184⤵
        
        PID:5656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        185⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        185⤵
        
        PID:5356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        186⤵
        
        PID:5600
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        186⤵
        Adds Run key to start application
        
        PID:5536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        187⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        187⤵
        
        PID:3780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        188⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        188⤵
        
        PID:5408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        189⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        189⤵
        
        PID:5312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        190⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        190⤵
        
        PID:5840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        191⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        191⤵
        
        PID:4032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        192⤵
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        192⤵
        Adds Run key to start application
        
        PID:5704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        193⤵
        
        PID:5348
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        193⤵
        
        PID:4920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        194⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        194⤵
        
        PID:5868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        195⤵
        
        PID:5668
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        195⤵
        
        PID:4904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        196⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        196⤵
        
        PID:5932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        197⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        197⤵
        
        PID:4412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        198⤵
        
        PID:5868
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        198⤵
        
        PID:2932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        199⤵
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        199⤵
        
        PID:6036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        200⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        200⤵
        
        PID:4588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        201⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        201⤵
        
        PID:3584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        202⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        202⤵
        
        PID:5148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        203⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        203⤵
        Adds Run key to start application
        
        PID:5932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        203⤵
        
        PID:5984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        202⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        202⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        203⤵
        
        PID:1976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        201⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        201⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        202⤵
        
        PID:5136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        200⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        200⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        201⤵
        
        PID:3076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        199⤵
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        199⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        200⤵
        
        PID:5704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        198⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        198⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        199⤵
        
        PID:5664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        197⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        197⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        198⤵
        
        PID:5668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        196⤵
        
        PID:5344
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        196⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        197⤵
        
        PID:1348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        195⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        195⤵
        
        PID:5184
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        196⤵
        
        PID:2208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        194⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        194⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        195⤵
        
        PID:3708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        193⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        193⤵
        
        PID:6136
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        194⤵
        
        PID:5256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        192⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        192⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        193⤵
        
        PID:5472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        191⤵
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        191⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        192⤵
        
        PID:5684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        190⤵
        
        PID:5952
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        190⤵
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        191⤵
        
        PID:5124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        189⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        189⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        190⤵
        
        PID:5396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        188⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        188⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        189⤵
        
        PID:4484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        187⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        187⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        188⤵
        
        PID:6120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        186⤵
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        186⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        187⤵
        
        PID:6040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        185⤵
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        185⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        186⤵
        
        PID:5204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        184⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        184⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        185⤵
        
        PID:2368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        183⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        183⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        184⤵
        
        PID:3480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        182⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        182⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        183⤵
        
        PID:4780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        181⤵
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        181⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        182⤵
        
        PID:1368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        180⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        180⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        181⤵
        
        PID:5732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        179⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        179⤵
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        180⤵
        
        PID:5796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        178⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        178⤵
        
        PID:5300
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        179⤵
        
        PID:5792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        177⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        177⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        178⤵
        
        PID:5540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        176⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        176⤵
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        177⤵
        
        PID:5736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        175⤵
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        175⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        176⤵
        
        PID:3776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        174⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        174⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        175⤵
        
        PID:5432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        173⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        173⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        174⤵
        
        PID:5388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        172⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        172⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        173⤵
        
        PID:5916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        171⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        171⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        172⤵
        
        PID:5292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        170⤵
        
        PID:5868
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        170⤵
        
        PID:6140
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        171⤵
        
        PID:5448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        169⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        169⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        170⤵
        
        PID:6048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        168⤵
        
        PID:5768
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        168⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        169⤵
        
        PID:5608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        167⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        167⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        168⤵
        
        PID:6044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        166⤵
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        166⤵
        
        PID:5236
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        167⤵
        
        PID:4012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        165⤵
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        165⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        166⤵
        
        PID:5956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        164⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        164⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        165⤵
        
        PID:5132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        163⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        163⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        164⤵
        
        PID:5788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        162⤵
        
        PID:5768
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        162⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        163⤵
        
        PID:5380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        161⤵
        
        PID:5528
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        161⤵
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        162⤵
        
        PID:5696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        160⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        160⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        161⤵
        
        PID:5208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        159⤵
        
        PID:5448
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        159⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        160⤵
        
        PID:6052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        158⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        158⤵
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        159⤵
        
        PID:5576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        157⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        157⤵
        
        PID:5912
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        158⤵
        
        PID:6108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        156⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        156⤵
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        157⤵
        
        PID:5636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        155⤵
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        155⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        156⤵
        
        PID:5004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        154⤵
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        154⤵
        
        PID:5612
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        155⤵
        
        PID:5824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        153⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        153⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        154⤵
        
        PID:5368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        152⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        152⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        153⤵
        
        PID:4836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        151⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        151⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        152⤵
        
        PID:2064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        150⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        150⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        151⤵
        
        PID:5052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        149⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        149⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        150⤵
        
        PID:2392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        148⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        148⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        149⤵
        
        PID:4788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        147⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        147⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        148⤵
        
        PID:1748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        146⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        146⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        147⤵
        
        PID:4916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        145⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        145⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        146⤵
        
        PID:5020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        144⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        144⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        145⤵
        
        PID:5100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        143⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        143⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        144⤵
        
        PID:3984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        142⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        142⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        143⤵
        
        PID:3880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        141⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        141⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        142⤵
        
        PID:5000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        140⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        140⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        141⤵
        
        PID:4816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        139⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        139⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        140⤵
        
        PID:4752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        138⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        138⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        139⤵
        
        PID:4928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        137⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        137⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        138⤵
        
        PID:5060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        136⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        136⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        137⤵
        
        PID:4932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        135⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        135⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        136⤵
        
        PID:3804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        134⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        134⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        135⤵
        
        PID:4868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        133⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        133⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        134⤵
        
        PID:2972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        132⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        132⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        133⤵
        
        PID:4936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        131⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        131⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        132⤵
        
        PID:1492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        130⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        130⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        131⤵
        
        PID:2552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        129⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        129⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        130⤵
        
        PID:2780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        128⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        128⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        129⤵
        
        PID:3400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        127⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        127⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        128⤵
        
        PID:1488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        126⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        126⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        127⤵
        
        PID:3672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        125⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        125⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        126⤵
        
        PID:3932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        124⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        124⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        125⤵
        
        PID:2832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        123⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        123⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        124⤵
        
        PID:3148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        122⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        122⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        123⤵
        
        PID:4092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        121⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        121⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        122⤵
        
        PID:2536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        120⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        120⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        121⤵
        
        PID:3992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        119⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        119⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        120⤵
        
        PID:3196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        118⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        118⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        119⤵
        
        PID:3328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        117⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        117⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        118⤵
        
        PID:2492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        116⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        116⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        117⤵
        
        PID:3944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        115⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        115⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        116⤵
        
        PID:3912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        114⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        114⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        115⤵
        
        PID:1800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        113⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        113⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        114⤵
        
        PID:3952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        112⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        112⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        113⤵
        
        PID:2936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        111⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        111⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        112⤵
        
        PID:3736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        110⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        110⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        111⤵
        
        PID:3520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        109⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        109⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        110⤵
        
        PID:3760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        108⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        108⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        109⤵
        
        PID:964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        107⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        107⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        108⤵
        
        PID:3600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        106⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        106⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        107⤵
        
        PID:2900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        105⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        105⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        106⤵
        
        PID:3476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        104⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        104⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        105⤵
        
        PID:3832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        103⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        103⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        104⤵
        
        PID:4048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        102⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        102⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        103⤵
        
        PID:3412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        101⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        101⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        102⤵
        
        PID:2960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        100⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        100⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        101⤵
        
        PID:3840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        99⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        99⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        100⤵
        
        PID:880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        98⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        98⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        99⤵
        
        PID:1620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        97⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        97⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        98⤵
        
        PID:3324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        96⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        96⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        97⤵
        
        PID:1076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        95⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        95⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        96⤵
        
        PID:3140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        94⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        94⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        95⤵
        
        PID:2620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        93⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        93⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        94⤵
        
        PID:940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        92⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        92⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        93⤵
        
        PID:3620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        91⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        91⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        92⤵
        
        PID:916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        90⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        90⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        91⤵
        
        PID:3684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        89⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        89⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        90⤵
        
        PID:3220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        88⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        88⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        89⤵
        
        PID:3852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        87⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        87⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        88⤵
        
        PID:2496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        86⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        86⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        87⤵
        
        PID:3764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        85⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        85⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        86⤵
        
        PID:3316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        84⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        84⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        85⤵
        
        PID:1276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        83⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        83⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        84⤵
        
        PID:996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        82⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        82⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        83⤵
        
        PID:1416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        81⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        81⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        82⤵
        
        PID:2080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        80⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        80⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        81⤵
        
        PID:1384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        79⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        79⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        80⤵
        
        PID:644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        78⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        78⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        79⤵
        
        PID:2176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        77⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        77⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        78⤵
        
        PID:1208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        76⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        76⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        77⤵
        
        PID:2160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        75⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        75⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        76⤵
        
        PID:2376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        74⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        74⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        75⤵
        
        PID:2412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        73⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        73⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        74⤵
        
        PID:2380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        72⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        72⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        73⤵
        
        PID:1644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        71⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        71⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        72⤵
        
        PID:2264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        70⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        70⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        71⤵
        
        PID:2888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        69⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        69⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        70⤵
        
        PID:2540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        68⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        68⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        69⤵
        
        PID:2468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        67⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        67⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        68⤵
        
        PID:2232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        66⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        66⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        67⤵
        
        PID:2588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        65⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        65⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        66⤵
        
        PID:2788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        64⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        64⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        65⤵
        
        PID:1548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        63⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        63⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        64⤵
        
        PID:1220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        62⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        62⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        63⤵
        
        PID:1984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        61⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        61⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        62⤵
        
        PID:1516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        60⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        60⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        61⤵
        
        PID:1212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        59⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        59⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        60⤵
        
        PID:2736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        58⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        58⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        59⤵
        
        PID:3044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        57⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        57⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        58⤵
        
        PID:2296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        56⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        56⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        57⤵
        
        PID:3040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        55⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        55⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        56⤵
        
        PID:536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        54⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        54⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        55⤵
        
        PID:960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        53⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        53⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        54⤵
        
        PID:3060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        52⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        52⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        53⤵
        
        PID:1608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        51⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        51⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        52⤵
        
        PID:2460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        50⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        50⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        51⤵
        
        PID:2844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        49⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        49⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        50⤵
        
        PID:2156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        48⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        48⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        49⤵
        
        PID:2576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        47⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        47⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        48⤵
        
        PID:2012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        46⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        46⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        47⤵
        
        PID:484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        45⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        45⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        46⤵
        
        PID:2432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        44⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        44⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        45⤵
        
        PID:3028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        43⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        43⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        44⤵
        
        PID:2940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        42⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        42⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        43⤵
        
        PID:2544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        41⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        41⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        42⤵
        
        PID:2124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        40⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        40⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        41⤵
        
        PID:1592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        39⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        39⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        40⤵
        
        PID:2356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        38⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        38⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        39⤵
        
        PID:2252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        37⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        37⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        38⤵
        
        PID:2644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        36⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        37⤵
        
        PID:1536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        35⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        35⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        36⤵
        
        PID:2980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        34⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        35⤵
        
        PID:1256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        33⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        33⤵
        Executes dropped EXE
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        34⤵
        
        PID:580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        32⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        32⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        33⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        31⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        31⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        32⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        30⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        30⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        31⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        29⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        29⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        30⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        28⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        28⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        29⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        27⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        27⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        28⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        26⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        26⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        27⤵
        Executes dropped EXE
        
        PID:320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        25⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        25⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        26⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        24⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        24⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        25⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        23⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        23⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        24⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        22⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        21⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        20⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        19⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        18⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        17⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        16⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        14⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1136
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
      - C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
    - - C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\Exela.exe
      "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Users\Admin\AppData\Local\Temp\Exela.exe
    "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\Exela.exe
      "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Users\Admin\AppData\Local\Temp\Exela.exe
  "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\Exela.exe
    "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1452

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-688151191-7875597421152841832071157741298102607166124139143507378410781931"
1⤵
PID:2884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1646340512-1410389884-124919084711927981431482554234-2011509712-108406168-1661856590"
1⤵
PID:2124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1512211595-269030738213420529014307731098675848662093664103-1722299143536549461"
1⤵
PID:2000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-987382770662047968-1014244701450395317-726578032341152058-579838766290166853"
1⤵
PID:1544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "998506601-690815367347809842-146236621017561247536813971651989466817-2137358566"
1⤵
PID:2348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-638368148-834633328-20660273206122409631309139667-1679461005-765301979-1542354253"
1⤵
PID:2600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "931992071802580167718281571-19595063378956981391419883310-6123808961526910262"
1⤵
PID:2808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-950036391-2093288140-80825207-459885147-17319018501875934876-942687728153672330"
1⤵
PID:1960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "931118259-17777297791193541594-1507000915-1799124302-103494605-1958309160461826323"
1⤵
PID:2384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1724976652-7537938801057358066-1284311726-43385741423299062-1666867449123487114"
1⤵
PID:3016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19171364561715089876-258276271-527316018-1925165715102684205611054184141849015149"
1⤵
PID:1544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1806237785-2055916722271826633-1299310071522522062-1247947132-2085737612-518793175"
1⤵
PID:2264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "175550702588830109-15785812-1980692924328573481-23160242-21260686691760453904"
1⤵
PID:624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "278904052990786623-7178414221936358852-214147448636826515692991201576817307"
1⤵
PID:2660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1498506683-1467455882005267653-13560808551409842869-2082096076-433568992-751959926"
1⤵
PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI11642\attrs-24.3.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21162\python310.dll

Filesize
1.4MB

MD5
fc7bd515b12e537a39dc93a09b3eaad6

SHA1
96f5d4b0967372553cb106539c5566bc184f6167

SHA256
461e008b7cdf034f99a566671b87849772873a175aefec6ed00732976f5c4164

SHA512
a8433d5b403f898e4eeebd72fce08ebad066ca60aeb0b70e2ae78377babc2acbbae2ac91ab20f813cce4b1dc58c2ad6b3868f18cc8ac0fe7be2bff020eb73122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_asyncio.pyd

Filesize
34KB

MD5
7d4f9a2b793e021f7e37b8448751ed4e

SHA1
0ea07b5024501aad5008655cfeae6d96b5da957a

SHA256
2293c1b6b0b901832a57a1c4dcb1265c9e92d21177195712c30632a7b63227d4

SHA512
af75452279c308c61c3e222a031a8201e47e8fe44c4e92cb7dab03d56c7e7e3e2a2c589f650c50e0b29e2df175d6f2ff50c8e5e589d17a124bf0a2e0d7886c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_bz2.pyd

Filesize
46KB

MD5
6250a28b9d0bfefc1254bd78ece7ae9f

SHA1
4b07c8e18d23c8ae9d92d7b8d39ae20bc447aecd

SHA256
7d43f7105aa4f856239235c67f61044493ee6f95ddf04533189bf5ea98073f0b

SHA512
6d0aa5c3f8f5b268b94341dfdd5afbe48f91f9aac143bf59f7f5e8ba6f54205b85ec527c53498ed8860fdff6a8d08e48ec4e1652eeab2d3c89aaaf3a14fcaaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
7727212e7bdbf63b1a39fb7faad24265

SHA1
a8fdec19d6690081b2bf55247e8e17657a68ac97

SHA256
b0116303e1e903d6eb02a69d05879f38af1640813f4b110cb733ffff6e4e985c

SHA512
2b1a27642118dd228791d0d8ba307aa39ab2d9c7d3799cff9f3c0744fe270eeaefe5545a4fda6e74e86fee747e45bf5f6c9ac799950c2b483a16eb3ce85d816a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_ctypes.pyd

Filesize
56KB

MD5
4b90108fabdd64577a84313c765a2946

SHA1
245f4628683a3e18bb6f0d1c88aa26fb959ed258

SHA256
e1b634628839a45ab08913463e07b6b6b7fd502396d768f43b21da2875b506a1

SHA512
91fa069d7cf61c57faad6355f6fd46d702576c4342460dadcedfdcbc07cd9d84486734f0561fa5e1e01668b384c3c07dd779b332f77d0bb6fbdbb8c0cb5091bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_decimal.pyd

Filesize
103KB

MD5
20985dc78dbd1992382354af5ca28988

SHA1
385a3e7a7654e5e4c686399f3a72b235e941e311

SHA256
f3620cac68595b8a8495ab044f19a1c89012f50d2fe571b7a1721485f7ff2e43

SHA512
61b8ecd2d12b3f785773b98d4bf4af0eb6eb2c61fbea6effb77ec24b2127e888d0ea5fdd8cc298484e0f770d70c87907048fc382faace8e0ca6b49ab106c89f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_hashlib.pyd

Filesize
33KB

MD5
3b5530f497ff7c127383d0029e680c35

SHA1
fb5dc554bb9ff49622184cc16883a7567115c7ca

SHA256
5971fcc9758b7f4a12cde2190a323f35a34ab7f97bd8c39cc8f3335223102573

SHA512
12ced7ddb0352f8eca3c3cb7c7c2faaf08e617b2dd278d20008051fb6b564b17c3e9ecfa8b0ffe7674154ad533dfbbf1e802accd5e1aef12ece01368da06e85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_lzma.pyd

Filesize
84KB

MD5
8edbeeccb6f3dbb09389d99d45db5542

SHA1
f7e7af2851a5bf22de79a24fe594b5c0435fca8a

SHA256
90701973be6b23703e495f6a145bae251a7bb066d3c5f398ec42694fd06a069f

SHA512
2a8bf60f2280b9a947578bd7fd49c3ace8e010a3d4b38e370edb511ea0e125df688bbac369d6a3cec9d285a1fa2ad2dac18a0ef30fda46e49a9440418581e501

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_multiprocessing.pyd

Filesize
25KB

MD5
4fbc5fd5da9da74c04fe0374387b34d3

SHA1
1e9c98db0486f98fb7d8eb9fa57a949494b649b5

SHA256
b2347790c87052623710382d3178887f68a79618d6da5174909f46b169236950

SHA512
ce87d4512c2ab7c1ad7986e8e1fe790615ae39c7667d234dfc09026ee7e1518b3bfbf7974612811db0c3e5654b35b54e118e23e624bebe027a51d2c8f2a4652a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_overlapped.pyd

Filesize
30KB

MD5
5c1441f6ee11632183a83dac2d22853b

SHA1
eef732ff4bab9ea5c8fffb6a93c47cfc8e64dae2

SHA256
104e0b0e0e9fec9eb6438683296feeba298d5f23b02d2080577fc87ffec67acf

SHA512
e41d3433754a8a3d2c572bb7f3902c0d37cba2e6f3307f0e6dfed316a22b11ef7e52a73c30085fa89fcff603e4b76858abe761217c320e38fa2eb95d1777b595

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_queue.pyd

Filesize
24KB

MD5
5c4c43763fb1a796134aa5734905c891

SHA1
44a5e1ae4806406a239129d77888bd87d291a410

SHA256
4edc80e7d331ba0e9338431d407157181190f995821d1cd24f7a7aa2422ece0c

SHA512
07bec7e4a85e76cfab2c21776b50ee2bd0454835fcb43b573dee757eca24cbeb4530784bae07de3be90820cee6d72023d9ded395d4f1a4931971db247dc1a71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_socket.pyd

Filesize
41KB

MD5
53e72716073038c1dd1db65bfdb1254c

SHA1
7bf220a02a3b51aa51300b3a9ea7fa48358ca161

SHA256
e1fb6927ba2ed014d0ac750af0ee0bb3d49487dd6920848937259606e1e92e1d

SHA512
c10d91b6ec82402b0eb05dc31a4703c999f4988e88204b695e009fae5fdcc61e8a6dc4d2879ecf2babc030224048afd2f256b9e7f5c5b6f28762047813be0941

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_sqlite3.pyd

Filesize
48KB

MD5
e7d68df8f65fbb0298a45519e2336f32

SHA1
ad3c84ad7eb75a61f287b1ba9fd2801567e39b6d

SHA256
2473ebaf52723c3751a12117ebbe974e50ecdaeb40b282a12ba4e6aa98492e79

SHA512
626204685e9b95310aba51be4a8abaf3b6e152fa35902f64f837303fc4011a4518ee393047ceb45bf377e9d965d169c92bfbb6673475150e159c59b7857ba03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_ssl.pyd

Filesize
60KB

MD5
7e9d95ac47a2284706318656b4f711d3

SHA1
f085104709201c6e64635aeacf1da51599054e55

SHA256
38dcb3d0f217785b39c03d4c949dd1e04b70e9eade8a4ad83f026390684059c9

SHA512
294a5148d8fcddabd177b776617da7720d9876ac2a1cdf8dd7b9489f0f719600a634346cdfa07da66588de885b0a64d8cccde4d47edbf6305bd2af44ee209118

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\_uuid.pyd

Filesize
21KB

MD5
59cfd9669367517b384922b2485cb6a7

SHA1
1bd44298543204d61d4efd2cd3980ad01071360d

SHA256
e02bfad84786560b624efd56df55c88a4ffbd6c7cfc728bf68b6401aa10f849f

SHA512
d0dd041d8493c7c19db01ea8477981148726796ce2ab58d3193064123319bd5b68fd57871d1db0aaa08d07f78ab96a3d343051c33ffd406e96b921248ea32665

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\aiohttp\_http_parser.cp310-win_amd64.pyd

Filesize
81KB

MD5
23df1d1a4bfd29c6c0f89d1a42bbecbb

SHA1
b8e5686724223bd5e8ed0b7a3517cdc3005be66a

SHA256
10f7967a3c574caea10fd5a94c9b6eba405ed6afec402969424c143566593adc

SHA512
75a455a9eb96bd52f0d795188a1120ee14d36944c331d97b4c3da837238bd2928cff29df27c0f17093022d976c0c2e54189babd94c6dc927ac325216c340481a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\aiohttp\_http_writer.cp310-win_amd64.pyd

Filesize
24KB

MD5
b0e8cbf64f3728eee12e6e0756e67c95

SHA1
71bc5ae8847dac5d0737e6321833a37da655d538

SHA256
7a931c3108173c4d8cc4ed7304414fcd3ba67ceff81f84506dcdda8979f5f33b

SHA512
622126f5a1fc5e275680bb64648a8cac6a5eaf3e7d6a262f0002afc26cec6d9c3addbba257626ac54189b7f85e5abdfc3809954ce0437046fc64b643a4e8cb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\aiohttp\_websocket\mask.cp310-win_amd64.pyd

Filesize
19KB

MD5
2b5d378afb9aeb031ed1a84f5c216291

SHA1
7955e2ec7e7ffa13e58af098d37c480c8f23ccad

SHA256
1d44b957609599fdf3115bb47bd668f560b63d4d84c74c1f7bf1f3dc05246d6a

SHA512
9102a95c57024afddb67b6500ce1606a2bf5923aa66f67e21fec23c1efb1c9a0cd77c55417b25c7cdbcda119cd817ea4219a1fe321a2f9300f8bffa99d8b0a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\aiohttp\_websocket\reader_c.cp310-win_amd64.pyd

Filesize
61KB

MD5
2cb730463ee9a2360b568bb54ff283b1

SHA1
e63b5d62d281f153ab2c3487f4423bec259e1bd5

SHA256
17b026c18dc25b2f8842da41484e39c8e92bd3ff9fe0f6d03f9fdc389991e7ae

SHA512
a7891ba2619cc6910c47ffac153ba31a3b17f67f08654f7a1fed380b1f4951673573f5e5a59e45e4edc432b135dbb57bb82c3b4cbdfc265d0daa6fca587ab732

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\attrs-24.3.0.dist-info\METADATA

Filesize
11KB

MD5
0e682e7854fe836cad441326ab36d36d

SHA1
3efad7961f8f2dfb0a22a1eeabd3a92b9da0ab23

SHA256
7fd8611027805324bb89ec073d1b8c2c3cb5b6927abf2cbc47f4ca5270a6880f

SHA512
54fd3b0c98dce7c11691d08ca22c9c8a74cd838d03723dda3fbac326efc2550edb892f9d45aa3956c9c5c35b8c20fe096f6a002dee07150b437a1e7e76ac175a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\attrs-24.3.0.dist-info\RECORD

Filesize
3KB

MD5
72c9f466183f7eae813f25ed47198941

SHA1
7498fae0d90f7f64d6c954849225e82c8f1bac92

SHA256
a237de627ee31b429fed81bdff4fa5b5b22bc979a2580e1205acaedc78761143

SHA512
6ed2a1293fa6e27ca3bdaa95af38e3b2299d1d77b7e0fb2d67552cd8f3acaee5be94d4f3f562e6bc42e6f6c7fc9d302c7bd5b14a1243ef86979e077242173c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\attrs-24.3.0.dist-info\WHEEL

Filesize
87B

MD5
e2fcb0ad9ea59332c808928b4b439e7a

SHA1
07311208d4849f821e8af25a89a9985c4503fbd8

SHA256
aad0b0a12256807936d52d4a6f88a1773236ae527564a688bab4e3fe780e8724

SHA512
d4cb3ca64d69678959c4f59b4d1cb992e8e2e046a6acb92341fd30b8ce862bd81a48cbfa09ec9ae2e735ffec5c12d246d1593a859615adee10984635a9ba8af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\attrs-24.3.0.dist-info\licenses\LICENSE

Filesize
1KB

MD5
5e55731824cf9205cfabeab9a0600887

SHA1
243e9dd038d3d68c67d42c0c4ba80622c2a56246

SHA256
882115c95dfc2af1eeb6714f8ec6d5cbcabf667caff8729f42420da63f714e9f

SHA512
21b242bf6dcbafa16336d77a40e69685d7e64a43cc30e13e484c72a93cd4496a7276e18137dc601b6a8c3c193cb775db89853ecc6d6eb2956deee36826d5ebfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\base_library.zip

Filesize
859KB

MD5
9b62388394601020bd24fa9e7b4e9e0a

SHA1
06023daf857014770ff38d4ebbd600ba03109f28

SHA256
a6993db44fde43c8fdbf3512db50060812924c95f6f60aeb80913380a0b4f3e1

SHA512
ac1bfebb36d844a0c5909b34fc1100ff2d1f88a0b71a75aa27b4d2b281a90dcb05259b874e4fdb300572a0c029db96e507b5caefdaf03cc32050dc2b728c654b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\cryptography-44.0.0.dist-info\METADATA

Filesize
5KB

MD5
526d9ac9d8150602ec9ed8b9f4de7102

SHA1
dba2cb32c21c4b0f575e77bbcdd4fa468056f5e3

SHA256
d95f491ed418dc302db03804daf9335ce21b2df4704587e6851ef03e1f84d895

SHA512
fb13a2f6b64cb7e380a69424d484fc9b8758fa316a7a155ff062bfdacdca8f2c5d2a03898cd099688b1c16a5a0edcecfc42bf0d4d330926b10c3fce9f5238643

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\cryptography-44.0.0.dist-info\RECORD

Filesize
15KB

MD5
f15ef7175220c9f59f90bbbaeda16dbd

SHA1
5367cac8814d7a54e1c0274ff3f651ed5c6fe5d6

SHA256
04db3839c853d4164576122b7d5a2bab186536dc8f9a4980385e11cf59946114

SHA512
bb0fa967e03d98b9611006df2155bd8ad58a0e8b1a679d636b94ce931d316f18b61b801e018deca90d8e5a35fa744ae8c9e1a36f25c791052008c43af53a8117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\cryptography-44.0.0.dist-info\WHEEL

Filesize
94B

MD5
a868f93fcf51c4f1c25658d54f994349

SHA1
535c88a10911673deabb7889d365e81729e483a6

SHA256
1e7f5bcad669386a11e8ce14e715131c2d402693c3f41d713eb338493c658c45

SHA512
ec13cac9df03676640ef5da033e8c2faee63916f27cc27b9c43f0824b98ab4a6ecb4c8d7d039fa6674ef189bdd9265c8ed509c1d80dff610aeb9e081093aeb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\cryptography-44.0.0.dist-info\licenses\LICENSE

Filesize
197B

MD5
8c3617db4fb6fae01f1d253ab91511e4

SHA1
e442040c26cd76d1b946822caf29011a51f75d6d

SHA256
3e0c7c091a948b82533ba98fd7cbb40432d6f1a9acbf85f5922d2f99a93ae6bb

SHA512
77a1919e380730bcce5b55d76fbffba2f95874254fad955bd2fe1de7fc0e4e25b5fdaab0feffd6f230fa5dc895f593cf8bfedf8fdc113efbd8e22fadab0b8998

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\cryptography-44.0.0.dist-info\licenses\LICENSE.APACHE

Filesize
11KB

MD5
4e168cce331e5c827d4c2b68a6200e1b

SHA1
de33ead2bee64352544ce0aa9e410c0c44fdf7d9

SHA256
aac73b3148f6d1d7111dbca32099f68d26c644c6813ae1e4f05f6579aa2663fe

SHA512
f451048e81a49fbfa11b49de16ff46c52a8e3042d1bcc3a50aaf7712b097bed9ae9aed9149c21476c2a1e12f1583d4810a6d36569e993fe1ad3879942e5b0d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\cryptography-44.0.0.dist-info\licenses\LICENSE.BSD

Filesize
1KB

MD5
5ae30ba4123bc4f2fa49aa0b0dce887b

SHA1
ea5b412c09f3b29ba1d81a61b878c5c16ffe69d8

SHA256
602c4c7482de6479dd2e9793cda275e5e63d773dacd1eca689232ab7008fb4fb

SHA512
ddbb20c80adbc8f4118c10d3e116a5cd6536f72077c5916d87258e155be561b89eb45c6341a1e856ec308b49a4cb4dba1408eabd6a781fbe18d6c71c32b72c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.0MB

MD5
606a84af5a9cf8ad3cb0314e77fb7209

SHA1
6de88d8554488ffe3e48c9b14886da16d1703a69

SHA256
0693ffa4990fa8c1664485f3d2a41b581eac0b340d07d62242052a67bf2ed5c3

SHA512
97d451f025aefb487c5cea568eb430356adfe23908321f1c04f8fa4c03df87507eda8d9612c944be4fa733df4cec38a0e37bffd8865088064b749244d4321b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\frozenlist\_frozenlist.cp310-win_amd64.pyd

Filesize
36KB

MD5
219ad30aea7630a3696df28231405927

SHA1
ebaf69903305ea0803570cc2ff4cf43dd2bc812a

SHA256
06d38127de4cbd3243f861ea22897d490520e913f77011a37d915c4992433604

SHA512
72eb7323deb26931ea000690f85272ee71e19b2896af2b43ccd8bcfc3a299e0f8a7a3f1e339fbfe7c855e081cd94e21ae09ba3b8e2d16dbacddb838c31b4de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\libcrypto-1_1.dll

Filesize
1.1MB

MD5
86cfc84f8407ab1be6cc64a9702882ef

SHA1
86f3c502ed64df2a5e10b085103c2ffc9e3a4130

SHA256
11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307

SHA512
b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\libssl-1_1.dll

Filesize
203KB

MD5
6cd33578bc5629930329ca3303f0fae1

SHA1
f2f8e3248a72f98d27f0cfa0010e32175a18487f

SHA256
4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0

SHA512
c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\multidict\_multidict.cp310-win_amd64.pyd

Filesize
20KB

MD5
7f691747ce66d3ed05a7c2c53220c8b5

SHA1
1d3f247042030cf8cf7c859002941beba5d15776

SHA256
7d6472a0d7f1a0740c7fc0d0d0ea6f7c6e7cb2b11b8c623c46a6fae1adb4e228

SHA512
b01f0e91039fc5b2782caaa0b3d56d5d1fe9e94424cc536cde9eca73a76747736060042e345af9edc5ef5bf5c154705d2c2dddf35536f305306be25a955a9f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\propcache\_helpers_c.cp310-win_amd64.pyd

Filesize
31KB

MD5
9fe92acae9522cd0044146e1b57c23fa

SHA1
ec8875039a387bb4ac302cd533b2fe27dbe75b43

SHA256
622077d084db60b50c43a1923d60c02f1900fffa3b5a11dfd34328e6fd341362

SHA512
cdf5dae191f9b6c75d5698d49d1a55a00695ac896a0823357ea7bf3332683231cb10b1544ec12fab5cf5a15117a92af18e1266f29ed3d3ccbcb56ff46a421e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\pyexpat.pyd

Filesize
86KB

MD5
46331749084f98bcfe8631d74c5e038f

SHA1
5e5510f7a4d03f10d979e0d6a0d2a6f0e53ca347

SHA256
21cc4b9ccd69d08d7c1068b1f004ae9454f7ea0a322801860faf0e6f4a24a3df

SHA512
edd39ce2d927fb6700a86db07f4f56cab897ef91a320f3e5ecb542ea1be6888dd27a08008e5fa1df3765b0c82d1046a23c8d59e76d11f4e6449d4d6826879589

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\python3.dll

Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\select.pyd

Filesize
24KB

MD5
3797a47a60b606e25348c67043874fe8

SHA1
63a33fedffd52190236a6acd0fc5d9d491e3ac45

SHA256
312e9b01d1632840983e8533d1685a64fb87e4538f724a7a59a71b1ba148bbac

SHA512
3eb7599825b7b21aaab05e420dd16d4a8eaa21652d232f6e4ede213a232b701401556e44df73cfa20ae855d1adc28304b52d42367b74ebd8e96c2e3d9a9b93e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\sqlite3.dll

Filesize
608KB

MD5
6a3a34c9c67efd6c17d44292e8db8fad

SHA1
339b1e514d60d8370eaec1e2f2b71cead999f970

SHA256
7b0e840165d65f0f5285476467e4c154c4d936613966b84948110a4614b9cad9

SHA512
6f2a1b670d28762745f0d3b961a331cbbb0dec244f8798734b911b3a3bc9519c73a3b26f1e1117725f6f1e880e57cadb562a1450659bca1aae353f6b9575d7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\unicodedata.pyd

Filesize
287KB

MD5
fed35db31377d515d198e5e446498be2

SHA1
62e388d17e17208ea0e881ccd96c75b7b1fbc5f7

SHA256
af3cdc9a2a1d923be67244429867a3c5c70835249e3573a03b98d08d148fe24b

SHA512
0985528cb0289086ec895e21a8947e04f732d5660460f2e7fa8668bd441c891438781c808bcea9294f348720e3752c10ea65363371f7e75ea48600d016bab72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
41KB

MD5
8640834733897205d9193e1b21084135

SHA1
e452ae2dbabcc8691233428dd1da5d23961b047d

SHA256
bd209ab04ba8a3a40546832380547a460b1257f4fb4b4012f6fc48f9c36cc476

SHA512
365805a31ed3ef7648fa2fac49fecc0646dd5dfcad8468918623d962db6aab08339f510edccdaf1340f8bfc06a4628c070de947cdec55cfabdc3563af2de43e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8WTIRY0OQQC0V4X6EVWH.temp

Filesize
7KB

MD5
92cccf668210bef9bfc281f7dc65c97b

SHA1
a3a14b9f5c7b70bd4a3ec42a4d259605c744f556

SHA256
46bb94fe47e642d5548c852501d8b97c2f955768025136357965ae64302f9bc9

SHA512
b20f1c17ea24ee6f8f18e2a2c3b21fcd2507b717a4147d595dec64ed6b92be0ffd99b8bdbe5f2c58125d64d32649f4154da72affc12245de027fd7c35f6bf7dc

Download Submit
\Users\Admin\AppData\Local\Temp\Exela.exe

Filesize
9.5MB

MD5
0615d49be12c174704a3daad945f7b56

SHA1
90d67801dcff362ce2c2accafd5010c7f79567d6

SHA256
573a7f2fa701a7630318119d9e6d916cb8a0acd87a0a2797b7197e9ae85c0071

SHA512
40d702b8fd2993aeeb09755e760d3611d76f927ae6831ab7066386d3a133257e06330ddff2d28406b77c1d9e502e79a7a72b8984ce0d795948da07dd03b9bea9

Download Submit
memory/1020-1211-0x000007FEEDF30000-0x000007FEEE39E000-memory.dmp

Filesize
4.4MB

Download
memory/1136-436-0x000007FEF2F90000-0x000007FEF33FE000-memory.dmp

Filesize
4.4MB

Download
memory/1452-72-0x000007FEF4150000-0x000007FEF45BE000-memory.dmp

Filesize
4.4MB

Download
memory/1524-712-0x000007FEF2240000-0x000007FEF26AE000-memory.dmp

Filesize
4.4MB

Download
memory/1560-555-0x000007FEF2B20000-0x000007FEF2F8E000-memory.dmp

Filesize
4.4MB

Download
memory/1688-1096-0x000007FEEE3A0000-0x000007FEEE80E000-memory.dmp

Filesize
4.4MB

Download
memory/1828-136-0x000007FEF3CE0000-0x000007FEF414E000-memory.dmp

Filesize
4.4MB

Download
memory/1916-767-0x000007FEEFAF0000-0x000007FEEFF5E000-memory.dmp

Filesize
4.4MB

Download
memory/1924-263-0x000007FEF3870000-0x000007FEF3CDE000-memory.dmp

Filesize
4.4MB

Download
memory/1940-1434-0x000007FEED1E0000-0x000007FEED64E000-memory.dmp

Filesize
4.4MB

Download
memory/2160-7-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2160-6-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2160-8-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2224-880-0x000007FEEF0F0000-0x000007FEEF55E000-memory.dmp

Filesize
4.4MB

Download
memory/2548-0-0x000007FEF5C83000-0x000007FEF5C84000-memory.dmp

Filesize
4KB

Download
memory/2548-1-0x0000000000380000-0x0000000001140000-memory.dmp

Filesize
13.8MB

Download
memory/2560-937-0x000007FEEEC80000-0x000007FEEF0EE000-memory.dmp

Filesize
4.4MB

Download
memory/2632-372-0x000007FEF3400000-0x000007FEF386E000-memory.dmp

Filesize
4.4MB

Download
memory/2728-1270-0x000007FEEDAC0000-0x000007FEEDF2E000-memory.dmp

Filesize
4.4MB

Download
memory/2764-1039-0x000007FEEE810000-0x000007FEEEC7E000-memory.dmp

Filesize
4.4MB

Download
memory/2788-611-0x000007FEF26B0000-0x000007FEF2B1E000-memory.dmp

Filesize
4.4MB

Download
memory/2876-1374-0x000007FEED650000-0x000007FEEDABE000-memory.dmp

Filesize
4.4MB

Download
memory/2960-15-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2960-14-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download