9235d2676794ff9cc054258ec08e894647ed0112a94f078c9b901d8f1aa049ce

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Files/Apps/geek.bat
Size

1KB
MD5

7ab38d80aa19a44d6a1c792400a44d15
SHA1

9cb921a2a61a9e1e42ef93c2a4d6f505c244a03e
SHA256

1c36c6df5dcc675f2f27b95503aadb92b6657f6c130be829605e55ca9b7dafda
SHA512

d7740258e28a3e468c33bfb0b47373a364c4fbff432dfe01322bd5b928c45a19fa2e50388aaa8e55d0b72b14b71ff783e9e3348ffdcc084c854b9d0288d694da

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://community.chocolatey.org/install.ps1

Signatures

Blocklisted process makes network request 64 IoCs

flow	pid	Process
3	2704	powershell.exe
4	2704	powershell.exe
5	1340	powershell.exe
6	1340	powershell.exe
7	1300	powershell.exe
8	1300	powershell.exe
9	1860	powershell.exe
10	1860	powershell.exe
11	2904	powershell.exe
12	2904	powershell.exe
13	2772	powershell.exe
14	2772	powershell.exe
15	3020	powershell.exe
16	3020	powershell.exe
17	1812	powershell.exe
18	1812	powershell.exe
19	2468	powershell.exe
20	2468	powershell.exe
21	1684	powershell.exe
22	1684	powershell.exe
23	1576	powershell.exe
24	1576	powershell.exe
25	1584	powershell.exe
26	1584	powershell.exe
27	1992	powershell.exe
28	1992	powershell.exe
29	1932	powershell.exe
30	1932	powershell.exe
31	1324	powershell.exe
32	1324	powershell.exe
33	1428	powershell.exe
34	1428	powershell.exe
35	2488	powershell.exe
36	2488	powershell.exe
37	2912	powershell.exe
38	2912	powershell.exe
39	1296	powershell.exe
40	1296	powershell.exe
41	2756	powershell.exe
42	2756	powershell.exe
43	1224	powershell.exe
44	1224	powershell.exe
45	956	powershell.exe
46	956	powershell.exe
47	1440	powershell.exe
48	1440	powershell.exe
49	2540	powershell.exe
50	2540	powershell.exe
51	1420	powershell.exe
52	1420	powershell.exe
53	1020	powershell.exe
54	1020	powershell.exe
55	2768	powershell.exe
56	2768	powershell.exe
57	580	powershell.exe
58	580	powershell.exe
59	2560	powershell.exe
60	2560	powershell.exe
61	2160	powershell.exe
62	2160	powershell.exe
63	1360	powershell.exe
64	1360	powershell.exe
65	3056	powershell.exe
66	3056	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
440	powershell.exe
1716	powershell.exe
1324	powershell.exe
1864	powershell.exe
1504	powershell.exe
2032	powershell.exe
2772	powershell.exe
2296	powershell.exe
2552	powershell.exe
2704	powershell.exe
2680	powershell.exe
520	powershell.exe
2760	powershell.exe
1604	powershell.exe
1912	powershell.exe
2972	powershell.exe
1920	powershell.exe
2740	powershell.exe
1864	powershell.exe
3004	powershell.exe
2280	powershell.exe
2692	powershell.exe
1848	powershell.exe
2056	powershell.exe
1516	powershell.exe
2924	powershell.exe
1612	powershell.exe
2344	powershell.exe
1420	powershell.exe
264	powershell.exe
1948	powershell.exe
464	powershell.exe
2072	powershell.exe
2200	powershell.exe
2776	powershell.exe
1020	powershell.exe
680	powershell.exe
2380	powershell.exe
1684	powershell.exe
2280	powershell.exe
2508	powershell.exe
1428	powershell.exe
876	powershell.exe
696	powershell.exe
1932	powershell.exe
1584	powershell.exe
2772	powershell.exe
1224	powershell.exe
2796	powershell.exe
2752	powershell.exe
1572	powershell.exe
1488	powershell.exe
1932	powershell.exe
1584	powershell.exe
1972	powershell.exe
2724	powershell.exe
1724	powershell.exe
2512	powershell.exe
2288	powershell.exe
1428	powershell.exe
1044	powershell.exe
2768	powershell.exe
1724	powershell.exe
2832	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1584	powershell.exe
1584	powershell.exe
2704	powershell.exe
2660	powershell.exe
2660	powershell.exe
2660	powershell.exe
1440	powershell.exe
1440	powershell.exe
1340	powershell.exe
2848	powershell.exe
2848	powershell.exe
2848	powershell.exe
860	powershell.exe
860	powershell.exe
1300	powershell.exe
2184	powershell.exe
2184	powershell.exe
2184	powershell.exe
2924	powershell.exe
2924	powershell.exe
1860	powershell.exe
2148	powershell.exe
2148	powershell.exe
2148	powershell.exe
2424	powershell.exe
2424	powershell.exe
2904	powershell.exe
2100	powershell.exe
2100	powershell.exe
2100	powershell.exe
1612	powershell.exe
1612	powershell.exe
2772	powershell.exe
2984	powershell.exe
2984	powershell.exe
2984	powershell.exe
2508	powershell.exe
2508	powershell.exe
3020	powershell.exe
1488	powershell.exe
1488	powershell.exe
1488	powershell.exe
2980	powershell.exe
2980	powershell.exe
1812	powershell.exe
1820	powershell.exe
1820	powershell.exe
1820	powershell.exe
1764	powershell.exe
1764	powershell.exe
2468	powershell.exe
2204	powershell.exe
2204	powershell.exe
2204	powershell.exe
1724	powershell.exe
1724	powershell.exe
1684	powershell.exe
2268	powershell.exe
2268	powershell.exe
2268	powershell.exe
2428	powershell.exe
2428	powershell.exe
1576	powershell.exe
2620	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	440	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2068	2228	cmd.exe	29
PID 2228 wrote to memory of 2068	2228	cmd.exe	29
PID 2228 wrote to memory of 2068	2228	cmd.exe	29
PID 2228 wrote to memory of 2896	2228	cmd.exe	30
PID 2228 wrote to memory of 2896	2228	cmd.exe	30
PID 2228 wrote to memory of 2896	2228	cmd.exe	30
PID 2896 wrote to memory of 2676	2896	cmd.exe	31
PID 2896 wrote to memory of 2676	2896	cmd.exe	31
PID 2896 wrote to memory of 2676	2896	cmd.exe	31
PID 2228 wrote to memory of 2356	2228	cmd.exe	32
PID 2228 wrote to memory of 2356	2228	cmd.exe	32
PID 2228 wrote to memory of 2356	2228	cmd.exe	32
PID 2228 wrote to memory of 2188	2228	cmd.exe	33
PID 2228 wrote to memory of 2188	2228	cmd.exe	33
PID 2228 wrote to memory of 2188	2228	cmd.exe	33
PID 2228 wrote to memory of 1584	2228	cmd.exe	34
PID 2228 wrote to memory of 1584	2228	cmd.exe	34
PID 2228 wrote to memory of 1584	2228	cmd.exe	34
PID 2228 wrote to memory of 2704	2228	cmd.exe	35
PID 2228 wrote to memory of 2704	2228	cmd.exe	35
PID 2228 wrote to memory of 2704	2228	cmd.exe	35
PID 2228 wrote to memory of 2660	2228	cmd.exe	36
PID 2228 wrote to memory of 2660	2228	cmd.exe	36
PID 2228 wrote to memory of 2660	2228	cmd.exe	36
PID 2660 wrote to memory of 2556	2660	powershell.exe	37
PID 2660 wrote to memory of 2556	2660	powershell.exe	37
PID 2660 wrote to memory of 2556	2660	powershell.exe	37
PID 2556 wrote to memory of 2536	2556	cmd.exe	39
PID 2556 wrote to memory of 2536	2556	cmd.exe	39
PID 2556 wrote to memory of 2536	2556	cmd.exe	39
PID 2556 wrote to memory of 2128	2556	cmd.exe	40
PID 2556 wrote to memory of 2128	2556	cmd.exe	40
PID 2556 wrote to memory of 2128	2556	cmd.exe	40
PID 2128 wrote to memory of 1956	2128	cmd.exe	41
PID 2128 wrote to memory of 1956	2128	cmd.exe	41
PID 2128 wrote to memory of 1956	2128	cmd.exe	41
PID 2556 wrote to memory of 2152	2556	cmd.exe	42
PID 2556 wrote to memory of 2152	2556	cmd.exe	42
PID 2556 wrote to memory of 2152	2556	cmd.exe	42
PID 2556 wrote to memory of 3016	2556	cmd.exe	43
PID 2556 wrote to memory of 3016	2556	cmd.exe	43
PID 2556 wrote to memory of 3016	2556	cmd.exe	43
PID 2556 wrote to memory of 1440	2556	cmd.exe	44
PID 2556 wrote to memory of 1440	2556	cmd.exe	44
PID 2556 wrote to memory of 1440	2556	cmd.exe	44
PID 2556 wrote to memory of 1340	2556	cmd.exe	45
PID 2556 wrote to memory of 1340	2556	cmd.exe	45
PID 2556 wrote to memory of 1340	2556	cmd.exe	45
PID 2556 wrote to memory of 2848	2556	cmd.exe	46
PID 2556 wrote to memory of 2848	2556	cmd.exe	46
PID 2556 wrote to memory of 2848	2556	cmd.exe	46
PID 2848 wrote to memory of 2732	2848	powershell.exe	47
PID 2848 wrote to memory of 2732	2848	powershell.exe	47
PID 2848 wrote to memory of 2732	2848	powershell.exe	47
PID 2732 wrote to memory of 1740	2732	cmd.exe	49
PID 2732 wrote to memory of 1740	2732	cmd.exe	49
PID 2732 wrote to memory of 1740	2732	cmd.exe	49
PID 2732 wrote to memory of 1248	2732	cmd.exe	50
PID 2732 wrote to memory of 1248	2732	cmd.exe	50
PID 2732 wrote to memory of 1248	2732	cmd.exe	50
PID 1248 wrote to memory of 804	1248	cmd.exe	51
PID 1248 wrote to memory of 804	1248	cmd.exe	51
PID 1248 wrote to memory of 804	1248	cmd.exe	51
PID 2732 wrote to memory of 1704	2732	cmd.exe	52

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:2068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:2676
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2356
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-ExecutionPolicy AllSigned
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\system32\fltMC.exe
      fltmc
      4⤵
      PID:2536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1956
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2152
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:3016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-ExecutionPolicy AllSigned
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\system32\fltMC.exe
        
        fltmc
        6⤵
        
        PID:1740
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:804
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1704
      - C:\Windows\system32\chcp.com
        
        chcp 437
        6⤵
        
        PID:2340
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        7⤵
        
        PID:2096
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        8⤵
        
        PID:2108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        8⤵
        
        PID:2588
        
        C:\Windows\system32\chcp.com
        
        chcp
        9⤵
        
        PID:756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2468
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        8⤵
        
        PID:2936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        9⤵
        
        PID:2336
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        10⤵
        
        PID:536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        10⤵
        
        PID:1360
        
        C:\Windows\system32\chcp.com
        
        chcp
        11⤵
        
        PID:1776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:464
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        10⤵
        
        PID:112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        10⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        11⤵
        
        PID:888
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        12⤵
        
        PID:1720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        12⤵
        
        PID:2952
        
        C:\Windows\system32\chcp.com
        
        chcp
        13⤵
        
        PID:2400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2068
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        12⤵
        
        PID:1576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        12⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        13⤵
        
        PID:2688
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        14⤵
        
        PID:3000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        14⤵
        
        PID:2548
        
        C:\Windows\system32\chcp.com
        
        chcp
        15⤵
        
        PID:2656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2504
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        14⤵
        
        PID:2524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        14⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        14⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        15⤵
        
        PID:2592
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        16⤵
        
        PID:2892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        16⤵
        
        PID:1104
        
        C:\Windows\system32\chcp.com
        
        chcp
        17⤵
        
        PID:2864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2876
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        16⤵
        
        PID:2884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        16⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        16⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        16⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        17⤵
        
        PID:1856
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        18⤵
        
        PID:1660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        18⤵
        
        PID:1036
        
        C:\Windows\system32\chcp.com
        
        chcp
        19⤵
        
        PID:1920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1948
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        18⤵
        
        PID:1932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        18⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        18⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        18⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        19⤵
        
        PID:1132
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        20⤵
        
        PID:984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        20⤵
        
        PID:1324
        
        C:\Windows\system32\chcp.com
        
        chcp
        21⤵
        
        PID:2084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1912
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        20⤵
        
        PID:2752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        20⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        20⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        21⤵
        
        PID:2904
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        22⤵
        
        PID:2272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        22⤵
        
        PID:2012
        
        C:\Windows\system32\chcp.com
        
        chcp
        23⤵
        
        PID:2196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1508
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        22⤵
        
        PID:1788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        22⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        22⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        22⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        23⤵
        
        PID:2776
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        24⤵
        
        PID:2488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        24⤵
        
        PID:2692
        
        C:\Windows\system32\chcp.com
        
        chcp
        25⤵
        
        PID:2008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2600
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        24⤵
        
        PID:2908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        24⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        25⤵
        
        PID:3020
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        26⤵
        
        PID:2888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        26⤵
        
        PID:876
        
        C:\Windows\system32\chcp.com
        
        chcp
        27⤵
        
        PID:2828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1368
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        26⤵
        
        PID:1480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        26⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        26⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        27⤵
        
        PID:1812
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        28⤵
        
        PID:1652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        28⤵
        
        PID:1532
        
        C:\Windows\system32\chcp.com
        
        chcp
        29⤵
        
        PID:1048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2744
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        28⤵
        
        PID:1316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        28⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        29⤵
        
        PID:2932
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        30⤵
        
        PID:1032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        30⤵
        
        PID:2168
        
        C:\Windows\system32\chcp.com
        
        chcp
        31⤵
        
        PID:1356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1632
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        30⤵
        
        PID:404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        30⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        30⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        31⤵
        
        PID:956
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        32⤵
        
        PID:2032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        32⤵
        
        PID:1752
        
        C:\Windows\system32\chcp.com
        
        chcp
        33⤵
        
        PID:1276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2432
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        32⤵
        
        PID:1200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        32⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        32⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        32⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        33⤵
        
        PID:2972
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        34⤵
        
        PID:1832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        34⤵
        
        PID:2608
        
        C:\Windows\system32\chcp.com
        
        chcp
        35⤵
        
        PID:3068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:2624
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        34⤵
        
        PID:2788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        34⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        35⤵
        
        PID:2536
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        36⤵
        
        PID:696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        36⤵
        
        PID:2544
        
        C:\Windows\system32\chcp.com
        
        chcp
        37⤵
        
        PID:1052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:580
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        36⤵
        
        PID:768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        36⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        36⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        36⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        37⤵
        
        PID:2552
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        38⤵
        
        PID:324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        38⤵
        
        PID:2988
        
        C:\Windows\system32\chcp.com
        
        chcp
        39⤵
        
        PID:3028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:1992
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        38⤵
        
        PID:1964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        38⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        38⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        38⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        39⤵
        
        PID:2980
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        40⤵
        
        PID:2588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        40⤵
        
        PID:2160
        
        C:\Windows\system32\chcp.com
        
        chcp
        41⤵
        
        PID:2380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:2532
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        40⤵
        
        PID:1916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        40⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        40⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        40⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        41⤵
        
        PID:1776
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        42⤵
        
        PID:2752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        42⤵
        
        PID:1360
        
        C:\Windows\system32\chcp.com
        
        chcp
        43⤵
        
        PID:2396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:1324
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        42⤵
        
        PID:1708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        42⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        42⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        42⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:700
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        43⤵
        
        PID:1600
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        44⤵
        
        PID:2464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        44⤵
        
        PID:1328
        
        C:\Windows\system32\chcp.com
        
        chcp
        45⤵
        
        PID:3056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:1428
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        44⤵
        
        PID:2076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        44⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        44⤵
        Blocklisted process makes network request
        
        PID:956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        44⤵
        
        PID:2388
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        45⤵
        
        PID:2364
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        46⤵
        
        PID:2628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        46⤵
        
        PID:2128
        
        C:\Windows\system32\chcp.com
        
        chcp
        47⤵
        
        PID:2504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:2188
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        46⤵
        
        PID:1612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        46⤵
        
        PID:1956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        46⤵
        Blocklisted process makes network request
        
        PID:1440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        46⤵
        
        PID:2828
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        47⤵
        
        PID:2556
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        48⤵
        
        PID:1572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        48⤵
        
        PID:2848
        
        C:\Windows\system32\chcp.com
        
        chcp
        49⤵
        
        PID:2892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:2152
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        48⤵
        
        PID:2536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        48⤵
        
        PID:2996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        48⤵
        Blocklisted process makes network request
        
        PID:2540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        48⤵
        
        PID:1660
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        49⤵
        
        PID:1948
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        50⤵
        
        PID:2592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        50⤵
        
        PID:2324
        
        C:\Windows\system32\chcp.com
        
        chcp
        51⤵
        
        PID:328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:1872
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        50⤵
        
        PID:2832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        50⤵
        
        PID:3004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        50⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:1420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        50⤵
        
        PID:1856
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        51⤵
        
        PID:1860
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        52⤵
        
        PID:788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        52⤵
        
        PID:1868
        
        C:\Windows\system32\chcp.com
        
        chcp
        53⤵
        
        PID:2092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:2148
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        52⤵
        
        PID:1136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        52⤵
        
        PID:2980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        52⤵
        Blocklisted process makes network request
        
        PID:1020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        52⤵
        
        PID:996
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        53⤵
        
        PID:2036
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        54⤵
        
        PID:1516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        54⤵
        
        PID:1504
        
        C:\Windows\system32\chcp.com
        
        chcp
        55⤵
        
        PID:2408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:1788
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        54⤵
        
        PID:700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        54⤵
        
        PID:2096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        54⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:2768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        54⤵
        
        PID:2500
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        55⤵
        
        PID:2664
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        56⤵
        
        PID:836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        56⤵
        
        PID:2056
        
        C:\Windows\system32\chcp.com
        
        chcp
        57⤵
        
        PID:3044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:2236
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        56⤵
        
        PID:2772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        56⤵
        
        PID:1556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        56⤵
        Blocklisted process makes network request
        
        PID:580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        56⤵
        
        PID:3008
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        57⤵
        
        PID:2884
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        58⤵
        
        PID:2872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        58⤵
        
        PID:2912
        
        C:\Windows\system32\chcp.com
        
        chcp
        59⤵
        
        PID:1248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:2644
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        58⤵
        
        PID:2828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        58⤵
        
        PID:2244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        58⤵
        Blocklisted process makes network request
        
        PID:2560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        58⤵
        
        PID:1048
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        59⤵
        
        PID:608
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        60⤵
        
        PID:2720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        60⤵
        
        PID:2740
        
        C:\Windows\system32\chcp.com
        
        chcp
        61⤵
        
        PID:1820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:1340
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        60⤵
        
        PID:1660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        60⤵
        
        PID:2856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        60⤵
        Blocklisted process makes network request
        
        PID:2160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        60⤵
        
        PID:1524
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        61⤵
        
        PID:632
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        62⤵
        
        PID:404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        62⤵
        
        PID:2220
        
        C:\Windows\system32\chcp.com
        
        chcp
        63⤵
        
        PID:2180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:2344
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        62⤵
        
        PID:2868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        62⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        62⤵
        Blocklisted process makes network request
        
        PID:1360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        62⤵
        
        PID:2044
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        63⤵
        
        PID:1200
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        64⤵
        
        PID:2392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        64⤵
        
        PID:1224
        
        C:\Windows\system32\chcp.com
        
        chcp
        65⤵
        
        PID:2284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        64⤵
        
        PID:996
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        64⤵
        
        PID:1996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        64⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        64⤵
        Blocklisted process makes network request
        
        PID:3056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        64⤵
        
        PID:2296
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        65⤵
        
        PID:2216
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        66⤵
        
        PID:2520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        66⤵
        
        PID:956
        
        C:\Windows\system32\chcp.com
        
        chcp
        67⤵
        
        PID:2788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        66⤵
        
        PID:2500
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        66⤵
        
        PID:1648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        66⤵
        
        PID:2400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        66⤵
        
        PID:768
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        67⤵
        
        PID:1152
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        68⤵
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        68⤵
        
        PID:1044
        
        C:\Windows\system32\chcp.com
        
        chcp
        69⤵
        
        PID:1368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        68⤵
        
        PID:2524
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        68⤵
        
        PID:2664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        68⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        68⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        68⤵
        
        PID:2252
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        69⤵
        
        PID:1264
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        70⤵
        
        PID:756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        70⤵
        
        PID:1928
        
        C:\Windows\system32\chcp.com
        
        chcp
        71⤵
        
        PID:2876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        70⤵
        
        PID:1480
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        70⤵
        
        PID:2688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        70⤵
        
        PID:2720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        70⤵
        
        PID:1712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        70⤵
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        71⤵
        
        PID:1816
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        72⤵
        
        PID:1420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        72⤵
        
        PID:2372
        
        C:\Windows\system32\chcp.com
        
        chcp
        73⤵
        
        PID:1356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        72⤵
        
        PID:572
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        72⤵
        
        PID:608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        72⤵
        
        PID:2360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        72⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        72⤵
        
        PID:2144
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        73⤵
        
        PID:2140
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        74⤵
        
        PID:1020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        74⤵
        
        PID:2808
        
        C:\Windows\system32\chcp.com
        
        chcp
        75⤵
        
        PID:2280
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        74⤵
        
        PID:2940
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        74⤵
        
        PID:1096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        74⤵
        
        PID:632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        74⤵
        
        PID:2336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        74⤵
        
        PID:1780
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        75⤵
        
        PID:2784
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        76⤵
        
        PID:2428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        76⤵
        
        PID:1576
        
        C:\Windows\system32\chcp.com
        
        chcp
        77⤵
        
        PID:2780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        76⤵
        
        PID:1608
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        76⤵
        
        PID:2432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        76⤵
        
        PID:1200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        76⤵
        
        PID:2388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        76⤵
        
        PID:2608
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        77⤵
        
        PID:3016
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        78⤵
        
        PID:1052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        78⤵
        
        PID:580
        
        C:\Windows\system32\chcp.com
        
        chcp
        79⤵
        
        PID:2824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        78⤵
        
        PID:2920
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        78⤵
        
        PID:768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        78⤵
        
        PID:2804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        78⤵
        
        PID:2644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        78⤵
        
        PID:3028
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        79⤵
        
        PID:2000
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        80⤵
        
        PID:2996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        80⤵
        
        PID:1300
        
        C:\Windows\system32\chcp.com
        
        chcp
        81⤵
        
        PID:2352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        80⤵
        
        PID:1972
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        80⤵
        
        PID:1424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        80⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        80⤵
        
        PID:1340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        80⤵
        
        PID:2132
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        81⤵
        
        PID:2348
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        82⤵
        
        PID:2264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        82⤵
        
        PID:1792
        
        C:\Windows\system32\chcp.com
        
        chcp
        83⤵
        
        PID:2924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        82⤵
        
        PID:2552
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        82⤵
        
        PID:2708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        82⤵
        
        PID:1664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        82⤵
        
        PID:2344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        82⤵
        
        PID:2184
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        83⤵
        
        PID:2424
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        84⤵
        
        PID:2980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        84⤵
        
        PID:1360
        
        C:\Windows\system32\chcp.com
        
        chcp
        85⤵
        
        PID:2376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        84⤵
        
        PID:1752
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        84⤵
        
        PID:1552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        84⤵
        
        PID:1816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        84⤵
        
        PID:1224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        84⤵
        
        PID:1716
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        85⤵
        
        PID:2624
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        86⤵
        
        PID:2076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        86⤵
        
        PID:1728
        
        C:\Windows\system32\chcp.com
        
        chcp
        87⤵
        
        PID:892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        86⤵
        
        PID:3056
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        86⤵
        
        PID:1780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        86⤵
        
        PID:3052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        86⤵
        
        PID:956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        86⤵
        
        PID:1604
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        87⤵
        
        PID:2128
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        88⤵
        
        PID:1624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        88⤵
        
        PID:264
        
        C:\Windows\system32\chcp.com
        
        chcp
        89⤵
        
        PID:1104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        88⤵
        
        PID:528
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        88⤵
        
        PID:2760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        88⤵
        
        PID:2784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        88⤵
        
        PID:2852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        88⤵
        
        PID:2536
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        89⤵
        
        PID:1704
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        90⤵
        
        PID:1964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        90⤵
        
        PID:1244
        
        C:\Windows\system32\chcp.com
        
        chcp
        91⤵
        
        PID:3048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        90⤵
        
        PID:1924
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        90⤵
        
        PID:2972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        90⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        90⤵
        
        PID:2844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        90⤵
        
        PID:2832
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        91⤵
        
        PID:1916
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        92⤵
        
        PID:760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        92⤵
        
        PID:2592
        
        C:\Windows\system32\chcp.com
        
        chcp
        93⤵
        
        PID:1712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        92⤵
        
        PID:2588
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        92⤵
        
        PID:1936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        92⤵
        
        PID:1992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        92⤵
        
        PID:1356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        92⤵
        
        PID:1324
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        93⤵
        
        PID:2344
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        94⤵
        
        PID:1708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        94⤵
        
        PID:1824
        
        C:\Windows\system32\chcp.com
        
        chcp
        95⤵
        
        PID:3004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        94⤵
        
        PID:1148
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        94⤵
        
        PID:2084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        94⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        94⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        94⤵
        
        PID:2396
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        95⤵
        
        PID:984
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        96⤵
        
        PID:2100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        96⤵
        
        PID:1348
        
        C:\Windows\system32\chcp.com
        
        chcp
        97⤵
        
        PID:944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        96⤵
        
        PID:2012
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        96⤵
        
        PID:1788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        96⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        96⤵
        
        PID:2780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        96⤵
        
        PID:2196
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        97⤵
        
        PID:2412
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        98⤵
        
        PID:2504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        98⤵
        
        PID:2508
        
        C:\Windows\system32\chcp.com
        
        chcp
        99⤵
        
        PID:2648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        98⤵
        
        PID:2796
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        98⤵
        
        PID:2404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        98⤵
        
        PID:836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        98⤵
        
        PID:2356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        98⤵
        
        PID:2568
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        99⤵
        
        PID:2524
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        100⤵
        
        PID:324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        100⤵
        
        PID:2888
        
        C:\Windows\system32\chcp.com
        
        chcp
        101⤵
        
        PID:2692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        100⤵
        
        PID:2228
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        100⤵
        
        PID:1652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        100⤵
        
        PID:2828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        100⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        100⤵
        
        PID:2912
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        101⤵
        
        PID:2876
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        102⤵
        
        PID:2532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        102⤵
        
        PID:1660
        
        C:\Windows\system32\chcp.com
        
        chcp
        103⤵
        
        PID:328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        102⤵
        
        PID:1340
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        102⤵
        
        PID:2380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        102⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        102⤵
        
        PID:1936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        102⤵
        
        PID:1524
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        103⤵
        
        PID:1356
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        104⤵
        
        PID:2180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        104⤵
        
        PID:2124
        
        C:\Windows\system32\chcp.com
        
        chcp
        105⤵
        
        PID:2116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        104⤵
        
        PID:2204
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        104⤵
        
        PID:2744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        104⤵
        
        PID:352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        104⤵
        
        PID:1772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        104⤵
        
        PID:1816
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        105⤵
        
        PID:632
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        106⤵
        
        PID:824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        106⤵
        
        PID:1860
        
        C:\Windows\system32\chcp.com
        
        chcp
        107⤵
        
        PID:2464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        106⤵
        
        PID:3012
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        106⤵
        
        PID:2148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        106⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        106⤵
        
        PID:2640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        106⤵
        
        PID:3052
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        107⤵
        
        PID:2056
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        108⤵
        
        PID:2600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        108⤵
        
        PID:1684
        
        C:\Windows\system32\chcp.com
        
        chcp
        109⤵
        
        PID:2036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        108⤵
        
        PID:2772
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        108⤵
        
        PID:2196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        108⤵
        
        PID:976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        108⤵
        
        PID:1556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        108⤵
        
        PID:2460
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        109⤵
        
        PID:580
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        110⤵
        
        PID:2664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        110⤵
        
        PID:2804
        
        C:\Windows\system32\chcp.com
        
        chcp
        111⤵
        
        PID:2364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        110⤵
        
        PID:2872
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        110⤵
        
        PID:2288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        110⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        110⤵
        
        PID:2632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        110⤵
        
        PID:3008
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        111⤵
        
        PID:756
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        112⤵
        
        PID:1972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        112⤵
        
        PID:2972
        
        C:\Windows\system32\chcp.com
        
        chcp
        113⤵
        
        PID:2968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        112⤵
        
        PID:592
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        112⤵
        
        PID:1296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        112⤵
        
        PID:1048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        112⤵
        
        PID:2532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        112⤵
        
        PID:2588
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        113⤵
        
        PID:1792
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        114⤵
        
        PID:2264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        114⤵
        
        PID:988
        
        C:\Windows\system32\chcp.com
        
        chcp
        115⤵
        
        PID:664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        114⤵
        
        PID:1868
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        114⤵
        
        PID:2372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        114⤵
        
        PID:2200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        114⤵
        
        PID:2180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        114⤵
        
        PID:2184
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        115⤵
        
        PID:912
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        116⤵
        
        PID:1996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        116⤵
        
        PID:2376
        
        C:\Windows\system32\chcp.com
        
        chcp
        117⤵
        
        PID:2284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        116⤵
        
        PID:2060
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        116⤵
        
        PID:1948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        116⤵
        
        PID:2940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        116⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        116⤵
        
        PID:1788
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        117⤵
        
        PID:1780
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        118⤵
        
        PID:2768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        118⤵
        
        PID:864
        
        C:\Windows\system32\chcp.com
        
        chcp
        119⤵
        
        PID:2640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        118⤵
        
        PID:2952
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        118⤵
        
        PID:1832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        118⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        118⤵
        
        PID:2392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        118⤵
        
        PID:2504
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        119⤵
        
        PID:520
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        120⤵
        
        PID:1052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        120⤵
        
        PID:1088
        
        C:\Windows\system32\chcp.com
        
        chcp
        121⤵
        
        PID:1556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        120⤵
        
        PID:2596
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        120⤵
        
        PID:2492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        120⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        120⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        120⤵
        
        PID:956
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        121⤵
        
        PID:3028
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        122⤵
        
        PID:2128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        122⤵
        
        PID:2632
        
        C:\Windows\system32\chcp.com
        
        chcp
        123⤵
        
        PID:1492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        122⤵
        
        PID:2672
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        122⤵
        
        PID:1968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        122⤵
        
        PID:2024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        122⤵
        
        PID:2352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        122⤵
        
        PID:2864
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        123⤵
        
        PID:1304
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        124⤵
        
        PID:2612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        124⤵
        
        PID:1036
        
        C:\Windows\system32\chcp.com
        
        chcp
        125⤵
        
        PID:2532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        124⤵
        
        PID:2000
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        124⤵
        
        PID:572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        124⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        124⤵
        
        PID:1424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        124⤵
        
        PID:2476
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        125⤵
        
        PID:1872
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        126⤵
        
        PID:2328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        126⤵
        
        PID:788
        
        C:\Windows\system32\chcp.com
        
        chcp
        127⤵
        
        PID:1848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        126⤵
        
        PID:1752
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        126⤵
        
        PID:1544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        126⤵
        
        PID:2540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        126⤵
        
        PID:828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        126⤵
        
        PID:1096
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        127⤵
        
        PID:1912
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        128⤵
        
        PID:928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        128⤵
        
        PID:944
        
        C:\Windows\system32\chcp.com
        
        chcp
        129⤵
        
        PID:1724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        128⤵
        
        PID:1728
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        128⤵
        
        PID:2032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        128⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        128⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        128⤵
        
        PID:960
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        129⤵
        
        PID:2520
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        130⤵
        
        PID:2400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        130⤵
        
        PID:1732
        
        C:\Windows\system32\chcp.com
        
        chcp
        131⤵
        
        PID:976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        130⤵
        
        PID:1028
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        130⤵
        
        PID:536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        130⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        130⤵
        
        PID:1052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        130⤵
        
        PID:2960
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        131⤵
        
        PID:2364
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        132⤵
        
        PID:2568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        132⤵
        
        PID:464
        
        C:\Windows\system32\chcp.com
        
        chcp
        133⤵
        
        PID:2704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        132⤵
        
        PID:3048
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        132⤵
        
        PID:1488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        132⤵
        
        PID:2480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        132⤵
        
        PID:2624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        132⤵
        
        PID:1152
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        133⤵
        
        PID:1808
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        134⤵
        
        PID:1972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        134⤵
        
        PID:840
        
        C:\Windows\system32\chcp.com
        
        chcp
        135⤵
        
        PID:1340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        134⤵
        
        PID:1704
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        134⤵
        
        PID:2852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        134⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        134⤵
        
        PID:2560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        134⤵
        
        PID:1300
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        135⤵
        
        PID:664
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        136⤵
        
        PID:2928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        136⤵
        
        PID:2200
        
        C:\Windows\system32\chcp.com
        
        chcp
        137⤵
        
        PID:1928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        136⤵
        
        PID:2124
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        136⤵
        
        PID:1976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        136⤵
        
        PID:1524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        136⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        136⤵
        
        PID:2084
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        137⤵
        
        PID:2468
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        138⤵
        
        PID:2668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        138⤵
        
        PID:2408
        
        C:\Windows\system32\chcp.com
        
        chcp
        139⤵
        
        PID:1428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        138⤵
        
        PID:1816
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        138⤵
        
        PID:1356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        138⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        138⤵
        
        PID:1724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        138⤵
        
        PID:912
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        139⤵
        
        PID:2432
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        140⤵
        
        PID:2680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        140⤵
        
        PID:1684
        
        C:\Windows\system32\chcp.com
        
        chcp
        141⤵
        
        PID:2156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        140⤵
        
        PID:2368
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        140⤵
        
        PID:3052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        140⤵
        
        PID:2712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        140⤵
        
        PID:976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        140⤵
        
        PID:2424
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        141⤵
        
        PID:2920
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        142⤵
        
        PID:1656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        142⤵
        
        PID:1056
        
        C:\Windows\system32\chcp.com
        
        chcp
        143⤵
        
        PID:1780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        142⤵
        
        PID:2888
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        142⤵
        
        PID:2776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        142⤵
        
        PID:2356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        142⤵
        
        PID:1984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        142⤵
        
        PID:528
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        143⤵
        
        PID:1396
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        144⤵
        
        PID:592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        144⤵
        
        PID:1296
        
        C:\Windows\system32\chcp.com
        
        chcp
        145⤵
        
        PID:2556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        144⤵
        
        PID:2912
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        144⤵
        
        PID:1316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        144⤵
        
        PID:2684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        144⤵
        
        PID:1972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        144⤵
        
        PID:3028
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        145⤵
        
        PID:1740
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        146⤵
        
        PID:1572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        146⤵
        
        PID:2560
        
        C:\Windows\system32\chcp.com
        
        chcp
        147⤵
        
        PID:2732
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        146⤵
        
        PID:844
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        146⤵
        
        PID:2868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        146⤵
        
        PID:2552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        146⤵
        
        PID:1276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        146⤵
        
        PID:1524
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        147⤵
        
        PID:1552
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        148⤵
        
        PID:1132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        148⤵
        
        PID:2300
        
        C:\Windows\system32\chcp.com
        
        chcp
        149⤵
        
        PID:1772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        148⤵
        
        PID:2540
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        148⤵
        
        PID:1932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        148⤵
        
        PID:2808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        148⤵
        
        PID:2408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        148⤵
        
        PID:2280
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        149⤵
        
        PID:1940
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        150⤵
        
        PID:1832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        150⤵
        
        PID:632
        
        C:\Windows\system32\chcp.com
        
        chcp
        151⤵
        
        PID:2768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        150⤵
        
        PID:2952
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        150⤵
        
        PID:2296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        150⤵
        
        PID:2456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        150⤵
        
        PID:1684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        150⤵
        
        PID:2712
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        151⤵
        
        PID:1028
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        152⤵
        
        PID:2916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        152⤵
        
        PID:2232
        
        C:\Windows\system32\chcp.com
        
        chcp
        153⤵
        
        PID:2796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        152⤵
        
        PID:836
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        152⤵
        
        PID:2964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        152⤵
        
        PID:1584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        152⤵
        
        PID:1056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        152⤵
        
        PID:2228
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        153⤵
        
        PID:464
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        154⤵
        
        PID:2644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        154⤵
        
        PID:2652
        
        C:\Windows\system32\chcp.com
        
        chcp
        155⤵
        
        PID:2536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        154⤵
        
        PID:1480
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        154⤵
        
        PID:2252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        154⤵
        
        PID:2804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        154⤵
        
        PID:956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        154⤵
        
        PID:2684
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        155⤵
        
        PID:804
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        156⤵
        
        PID:1796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        156⤵
        
        PID:2924
        
        C:\Windows\system32\chcp.com
        
        chcp
        157⤵
        
        PID:2708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        156⤵
        
        PID:2592
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        156⤵
        
        PID:1652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        156⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        156⤵
        
        PID:1856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        156⤵
        
        PID:2264
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        157⤵
        
        PID:1660
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        158⤵
        
        PID:760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        158⤵
        
        PID:1280
        
        C:\Windows\system32\chcp.com
        
        chcp
        159⤵
        
        PID:2876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        158⤵
        
        PID:2220
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        158⤵
        
        PID:1276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        158⤵
        
        PID:788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        158⤵
        
        PID:1544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        158⤵
        
        PID:2136
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        159⤵
        
        PID:1872
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        160⤵
        
        PID:1348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        160⤵
        
        PID:2012
        
        C:\Windows\system32\chcp.com
        
        chcp
        161⤵
        
        PID:1792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        160⤵
        
        PID:2116
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        160⤵
        
        PID:1636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        160⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        160⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        160⤵
        
        PID:2468
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        161⤵
        
        PID:1776
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        162⤵
        
        PID:2508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        162⤵
        
        PID:2188
        
        C:\Windows\system32\chcp.com
        
        chcp
        163⤵
        
        PID:1032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        162⤵
        
        PID:1508
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        162⤵
        
        PID:1516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        162⤵
        
        PID:2388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        162⤵
        
        PID:984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        162⤵
        
        PID:2072
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        163⤵
        
        PID:2960
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        164⤵
        
        PID:2888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        164⤵
        
        PID:2700
        
        C:\Windows\system32\chcp.com
        
        chcp
        165⤵
        
        PID:2520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        164⤵
        
        PID:1620
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        164⤵
        
        PID:2676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        164⤵
        
        PID:1056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        164⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        164⤵
        
        PID:2920
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        165⤵
        
        PID:1152
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        166⤵
        
        PID:1600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        166⤵
        
        PID:2352
        
        C:\Windows\system32\chcp.com
        
        chcp
        167⤵
        
        PID:2688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        166⤵
        
        PID:2912
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        166⤵
        
        PID:2364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        166⤵
        
        PID:1296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        166⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        166⤵
        
        PID:2624
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        167⤵
        
        PID:2892
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        168⤵
        
        PID:1936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        168⤵
        
        PID:920
        
        C:\Windows\system32\chcp.com
        
        chcp
        169⤵
        
        PID:1812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        168⤵
        
        PID:1616
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        168⤵
        
        PID:2868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        168⤵
        
        PID:1868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        168⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        168⤵
        
        PID:1276
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        169⤵
        
        PID:1360
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        170⤵
        
        PID:740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        170⤵
        
        PID:2000
        
        C:\Windows\system32\chcp.com
        
        chcp
        171⤵
        
        PID:1772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        170⤵
        
        PID:996
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        170⤵
        
        PID:1036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        170⤵
        
        PID:1712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        170⤵
        
        PID:1824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        170⤵
        
        PID:2408
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        171⤵
        
        PID:2268
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        172⤵
        
        PID:2044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        172⤵
        
        PID:2296
        
        C:\Windows\system32\chcp.com
        
        chcp
        173⤵
        
        PID:2768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        172⤵
        
        PID:2952
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        172⤵
        
        PID:2184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        172⤵
        
        PID:1996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        172⤵
        
        PID:2680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        172⤵
        
        PID:1508
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        173⤵
        
        PID:2096
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        174⤵
        
        PID:2432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        174⤵
        
        PID:836
        
        C:\Windows\system32\chcp.com
        
        chcp
        175⤵
        
        PID:1724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        174⤵
        
        PID:2232
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        174⤵
        
        PID:1940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        174⤵
        
        PID:2964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        174⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        174⤵
        
        PID:2676
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        175⤵
        
        PID:2784
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        176⤵
        
        PID:2228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        176⤵
        
        PID:2792
        
        C:\Windows\system32\chcp.com
        
        chcp
        177⤵
        
        PID:976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        176⤵
        
        PID:1368
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        176⤵
        
        PID:1052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        176⤵
        
        PID:1488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        176⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        176⤵
        
        PID:2616
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        177⤵
        
        PID:1296
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        178⤵
        
        PID:1340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        178⤵
        
        PID:2472
        
        C:\Windows\system32\chcp.com
        
        chcp
        179⤵
        
        PID:1364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        178⤵
        
        PID:2132
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        178⤵
        
        PID:572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        178⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        178⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        178⤵
        
        PID:2088
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        179⤵
        
        PID:1868
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        180⤵
        
        PID:2180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        180⤵
        
        PID:3004
        
        C:\Windows\system32\chcp.com
        
        chcp
        181⤵
        
        PID:1928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        180⤵
        
        PID:760
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        180⤵
        
        PID:680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        180⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        180⤵
        
        PID:1920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        180⤵
        
        PID:2164
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        181⤵
        
        PID:2116
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        182⤵
        
        PID:2808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        182⤵
        
        PID:2336
        
        C:\Windows\system32\chcp.com
        
        chcp
        183⤵
        
        PID:2292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        182⤵
        
        PID:1824
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        182⤵
        
        PID:944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        182⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        182⤵
        
        PID:788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        182⤵
        
        PID:2752
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        183⤵
        
        PID:2196
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        184⤵
        
        PID:1912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        184⤵
        
        PID:2188
        
        C:\Windows\system32\chcp.com
        
        chcp
        185⤵
        
        PID:892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        184⤵
        
        PID:2060
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        184⤵
        
        PID:2404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        184⤵
        
        PID:2392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        184⤵
        
        PID:1832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        184⤵
        
        PID:984
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        185⤵
        
        PID:2896
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        186⤵
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        186⤵
        
        PID:2072
        
        C:\Windows\system32\chcp.com
        
        chcp
        187⤵
        
        PID:2628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        186⤵
        
        PID:2888
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        186⤵
        
        PID:1584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        186⤵
        
        PID:2564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        186⤵
        
        PID:2632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        186⤵
        
        PID:2988
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        187⤵
        
        PID:2444
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        188⤵
        
        PID:1600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        188⤵
        
        PID:2968
        
        C:\Windows\system32\chcp.com
        
        chcp
        189⤵
        
        PID:2920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        188⤵
        
        PID:2816
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        188⤵
        
        PID:580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        188⤵
        
        PID:2856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        188⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        188⤵
        
        PID:1944
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        189⤵
        
        PID:2664
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        190⤵
        
        PID:1152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        190⤵
        
        PID:1964
        
        C:\Windows\system32\chcp.com
        
        chcp
        191⤵
        
        PID:920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        190⤵
        
        PID:2928
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        190⤵
        
        PID:1812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        190⤵
        
        PID:1572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        190⤵
        
        PID:328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        190⤵
        
        PID:1916
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        191⤵
        
        PID:1800
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        192⤵
        
        PID:1428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        192⤵
        
        PID:1300
        
        C:\Windows\system32\chcp.com
        
        chcp
        193⤵
        
        PID:2000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        192⤵
        
        PID:1932
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        192⤵
        
        PID:1704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        192⤵
        
        PID:2084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        192⤵
        
        PID:1660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        192⤵
        
        PID:944
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        193⤵
        
        PID:1728
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        194⤵
        
        PID:2140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        194⤵
        
        PID:2236
        
        C:\Windows\system32\chcp.com
        
        chcp
        195⤵
        
        PID:2044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        194⤵
        
        PID:1948
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        194⤵
        
        PID:2068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        194⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        194⤵
        
        PID:1872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        194⤵
        
        PID:2428
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        195⤵
        
        PID:1788
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        196⤵
        
        PID:1336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        196⤵
        
        PID:1940
        
        C:\Windows\system32\chcp.com
        
        chcp
        197⤵
        
        PID:2268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        196⤵
        
        PID:836
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        196⤵
        
        PID:2908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        196⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        196⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        196⤵
        
        PID:2888
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        197⤵
        
        PID:2644
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        198⤵
        
        PID:2488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        198⤵
        
        PID:2916
        
        C:\Windows\system32\chcp.com
        
        chcp
        199⤵
        
        PID:2536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        198⤵
        
        PID:1104
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        198⤵
        
        PID:2252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        198⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        198⤵
        
        PID:2324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        198⤵
        
        PID:2740
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        199⤵
        
        PID:2652
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        200⤵
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        200⤵
        
        PID:1796
        
        C:\Windows\system32\chcp.com
        
        chcp
        201⤵
        
        PID:1480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        200⤵
        
        PID:2472
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        200⤵
        
        PID:2784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        200⤵
        
        PID:572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        200⤵
        
        PID:2880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        200⤵
        
        PID:1812
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        201⤵
        
        PID:1572
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        202⤵
        
        PID:1744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        202⤵
        
        PID:1652
        
        C:\Windows\system32\chcp.com
        
        chcp
        203⤵
        
        PID:2220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        202⤵
        
        PID:2088
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        202⤵
        
        PID:760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        202⤵
        
        PID:2180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        202⤵
        
        PID:1772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        202⤵
        
        PID:1348
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        203⤵
        
        PID:1712
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        204⤵
        
        PID:804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        204⤵
        
        PID:1868
        
        C:\Windows\system32\chcp.com
        
        chcp
        205⤵
        
        PID:2344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        204⤵
        
        PID:2100
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        204⤵
        
        PID:2164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        204⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        204⤵
        
        PID:112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        204⤵
        
        PID:2044
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        205⤵
        
        PID:2952
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        206⤵
        
        PID:2752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        206⤵
        
        PID:2012
        
        C:\Windows\system32\chcp.com
        
        chcp
        207⤵
        
        PID:2060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        206⤵
        
        PID:2148
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        206⤵
        
        PID:2640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        206⤵
        
        PID:1912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        206⤵
        
        PID:864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        206⤵
        
        PID:2268
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        207⤵
        
        PID:1716
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        208⤵
        
        PID:2076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        208⤵
        
        PID:2456
        
        C:\Windows\system32\chcp.com
        
        chcp
        209⤵
        
        PID:2036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        208⤵
        
        PID:2628
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        208⤵
        
        PID:2932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        208⤵
        
        PID:2520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        208⤵
        
        PID:3068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        208⤵
        
        PID:2024
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        209⤵
        
        PID:2556
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        210⤵
        
        PID:2896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        210⤵
        
        PID:2460
        
        C:\Windows\system32\chcp.com
        
        chcp
        211⤵
        
        PID:2568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        210⤵
        
        PID:2352
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        210⤵
        
        PID:2688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        210⤵
        
        PID:2920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        210⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        210⤵
        
        PID:1796
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        211⤵
        
        PID:2708
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        212⤵
        
        PID:2960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        212⤵
        
        PID:1224
        
        C:\Windows\system32\chcp.com
        
        chcp
        213⤵
        
        PID:1396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        212⤵
        
        PID:3008
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        212⤵
        
        PID:3044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        212⤵
        
        PID:2216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        212⤵
        
        PID:680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        212⤵
        
        PID:2264
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        213⤵
        
        PID:2612
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        214⤵
        
        PID:2180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        214⤵
        
        PID:924
        
        C:\Windows\system32\chcp.com
        
        chcp
        215⤵
        
        PID:1036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        214⤵
        
        PID:1664
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        214⤵
        
        PID:2316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        214⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        214⤵
        
        PID:1524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        214⤵
        
        PID:2336
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        215⤵
        
        PID:3012
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        216⤵
        
        PID:2724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        216⤵
        
        PID:2768
        
        C:\Windows\system32\chcp.com
        
        chcp
        217⤵
        
        PID:1228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        216⤵
        
        PID:740
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        216⤵
        
        PID:2580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        216⤵
        
        PID:944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        216⤵
        
        PID:1648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        216⤵
        
        PID:2060
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        217⤵
        
        PID:2188
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        218⤵
        
        PID:1912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        218⤵
        
        PID:1684
        
        C:\Windows\system32\chcp.com
        
        chcp
        219⤵
        
        PID:1692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        218⤵
        
        PID:1816
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        218⤵
        
        PID:2204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        218⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        218⤵
        
        PID:536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        218⤵
        
        PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d0fd6aee4f18f254b0aadfb17ea2ab48

SHA1
708c0cf0fed9d90b8fc85144057544a01fb944fc

SHA256
e203cd1d3a26572ed8dde1cf3710980c3a2ef948cd658a543f211787cbdc06d0

SHA512
fe9c45e62689129b1445e1089a106b62749f5b2379a74cf28f8c92bf3d230fec284da5f1c2b41c13881a8a6049f173738b6568075b3e26b51c13be31a4c470af

Download Submit
memory/1584-4-0x000007FEF5BAE000-0x000007FEF5BAF000-memory.dmp

Filesize
4KB

Download
memory/1584-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1584-6-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/1584-7-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/1584-8-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/1584-10-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/1584-11-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/1584-9-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/2704-17-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/2704-18-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download